A Systematical and longitudinal study of evasive behaviors in windows malware

Nicola Galloro, Mario Polino*, Michele Carminati, Andrea Continella, Stefano Zanero

*Corresponding author for this work

Research output: Contribution to journalArticleAcademicpeer-review

Abstract

Malware is one of the prevalent security threats. Sandboxes and, more generally, instrumented environments play a crucial role in dynamically analyzing malware samples, providing key threat intelligence results and critical information to update detection mechanisms. In this paper, we study the evasive behaviors employed by malware authors to hide the malicious activity of samples and hinder security analysis. First, we collect and systematize 92 evasive techniques leveraged by Windows malware to detect and thwart instrumented environments (e.g., debuggers and virtual machines). Then, we implement a framework for evasion analysis of x86 binaries and analyze 45,375 malware samples observed in the wild between 2010 and 2019; we compare this analysis against popular, legitimate Windows programs to study the intrinsic characteristics of such evasive behaviors. Based on the results of our experiments, we present statistics about the adoption of evasive techniques and their evolution over time. We show that over the past 10 years, the prevalence of evasive malware samples had a slight increase (12%). Moreover, the employed techniques shifted significantly over time. We also identify techniques that are specific to malware, as opposed to being employed by both malicious and legitimate software. Finally, we study how the security community reacts to the deployment of new evasive techniques. Overall, our results empirically address open research questions and provide insights and directions for future research.

Original languageEnglish
Article number102550
JournalComputers & Security
Volume113
Early online date21 Nov 2021
DOIs
Publication statusPublished - Feb 2022

Keywords

  • Cybersecurity

Fingerprint

Dive into the research topics of 'A Systematical and longitudinal study of evasive behaviors in windows malware'. Together they form a unique fingerprint.

Cite this