Author:
Xu Fangzhou,Zhang Wang,Qiang Weizhong,Jin Hai
Abstract
Static analysis is often impeded by malware obfuscation techniques, such as encryption and packing, whereas dynamic analysis tends to be more resistant to obfuscation by leveraging concrete execution information. Unfortunately, malware can employ evasive techniques to detect the analysis environment and alter its behavior accordingly. While known evasive techniques can be explicitly dismantled, the challenge lies in generically dismantling evasions without full knowledge of their conditions or implementations, such as logic bombs that rely on uncertain conditions, let alone unsupported evasive techniques, which contain evasions without corresponding dismantling strategies and those leveraging unknown implementations. In this paper, we present Antitoxin, a prototype for automatically exploring evasive malware. Antitoxin utilizes multi-path exploration guided by taint analysis and probability calculations to effectively dismantle evasive techniques. The probabilities of branch execution are derived from dynamic coverage, while taint analysis helps identify paths associated with evasive techniques that rely on uncertain conditions. Subsequently, Antitoxin prioritizes branches with lower execution probabilities and those influenced by taint analysis for multi-path exploration. This is achieved through forced execution, which forcefully sets the outcomes of branches on selected paths. Additionally, Antitoxin employs active anti-evasion countermeasures to dismantle known evasive techniques, thereby reducing exploration overhead. Furthermore, Antitoxin provides valuable insights into sensitive behaviors, facilitating deeper manual analysis. Our experiments on a set of highly evasive samples demonstrate that Antitoxin can effectively dismantle evasive techniques in a generic manner. The probability calculations guide the multi-path exploration of evasions without requiring prior knowledge of their conditions or implementations, enabling the dismantling of unsupported techniques such as C2 and significantly improving efficiency compared to linear exploration when dealing with complex control flows. Additionally, taint analysis can accurately identify branches related to logic bombs, facilitating preferential exploration.
Funder
National Natural Science Foundation of China
Reference34 articles.
1. AV-TEST. Malware Statistics & Trends Report. https://www.av-test.org/en/statistics/malware/ (January 2023).
2. Moser A, Kruegel C and Kirda E, Limits of static analysis for malware detection. In: The 23rd Annual Computer Security Applications Conference (ACSAC 2007), December 10–14, 2007, Miami Beach, FL, USA, 2007, 421–430, doi: 10.1109/ACSAC.2007.21.
3. Aghakhani H, Gritti F and Mecca F et al. When malware is packin’heat; limits of machine learning classifiers based on static analysis features. In: Network and Distributed Systems Security (NDSS) Symposium 2020. 2020, doi: 10.14722/ndss.2020.24310.
4. Framework for understanding intention-unbreakable malware
5. Chen X, Andersen J and Mao ZM et al. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: The 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2008, June 24–27, 2008, Anchorage, Alaska, USA. IEEE Computer Society, 2008, 177–86.