TY - GEN
T1 - Noninvasive detection of anti-forensic malware
AU - Guri, Mordehai
AU - Kedma, Gabi
AU - Sela, Tom
AU - Carmeli, Buky
AU - Rosner, Amit
AU - Elovici, Yuval
PY - 2013/1/1
Y1 - 2013/1/1
N2 - Modern malicious programs often escape dynamic analysis, by detecting forensic instrumentation within their own runtime environment. This has become a major challenge for malware researchers and analysts. Current defensive analysis of anti-forensic malware often requires painstaking step-by-step manual inspection. Code obfuscation may further complicate proper analysis. Furthermore, current defensive countermeasures are usually effective only against anti-forensic techniques which have already been identified. In this paper we propose a new method to detect and classify anti-forensic behavior, by comparing the trace-logs of the suspect program between different environments. Unlike previous works, the presented method is essentially noninvasive (does not interfere with original program flow). We separately trace the flow of instructions (Opcode) and the flow of Input-Output operations (IO). The two dimensions (Opcode and IO) complement each other to provide reliable classification. Our method can identify split behavior of suspected programs without prior knowledge of any specific anti-forensic technique; furthermore, it relieves the malware analyst from tedious step-by-step inspection. Those features are critical in the modern Cyber arena, where rootkits and Advanced Persistent Threats (APTs) are constantly adopting new sophisticated anti-forensic techniques to deceive analysis.
AB - Modern malicious programs often escape dynamic analysis, by detecting forensic instrumentation within their own runtime environment. This has become a major challenge for malware researchers and analysts. Current defensive analysis of anti-forensic malware often requires painstaking step-by-step manual inspection. Code obfuscation may further complicate proper analysis. Furthermore, current defensive countermeasures are usually effective only against anti-forensic techniques which have already been identified. In this paper we propose a new method to detect and classify anti-forensic behavior, by comparing the trace-logs of the suspect program between different environments. Unlike previous works, the presented method is essentially noninvasive (does not interfere with original program flow). We separately trace the flow of instructions (Opcode) and the flow of Input-Output operations (IO). The two dimensions (Opcode and IO) complement each other to provide reliable classification. Our method can identify split behavior of suspected programs without prior knowledge of any specific anti-forensic technique; furthermore, it relieves the malware analyst from tedious step-by-step inspection. Those features are critical in the modern Cyber arena, where rootkits and Advanced Persistent Threats (APTs) are constantly adopting new sophisticated anti-forensic techniques to deceive analysis.
UR - http://www.scopus.com/inward/record.url?scp=84893735502&partnerID=8YFLogxK
U2 - 10.1109/MALWARE.2013.6703679
DO - 10.1109/MALWARE.2013.6703679
M3 - Conference contribution
AN - SCOPUS:84893735502
SN - 9781479925339
T3 - Proceedings of the 2013 8th International Conference on Malicious and Unwanted Software: "The Americas", MALWARE 2013
SP - 1
EP - 10
BT - Proceedings of the 2013 8th International Conference on Malicious and Unwanted Software
PB - Institute of Electrical and Electronics Engineers
T2 - 2013 8th International Conference on Malicious and Unwanted Software: "The Americas", MALWARE 2013
Y2 - 22 October 2013 through 24 October 2013
ER -