Measuring and defeating anti-instrumentation-equipped malware

Mario Polino; Andrea Continella; Sebastiano Mariani; Stefano D’Alessio; Lorenzo Fontana; Fabio Gritti; Stefano Zanero

doi:10.1007/978-3-319-60876-1_4

Measuring and defeating anti-instrumentation-equipped malware

Mario Polino^*, Andrea Continella, Sebastiano Mariani, Stefano D’Alessio, Lorenzo Fontana, Fabio Gritti, Stefano Zanero

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

34 Citations (Scopus)

Abstract

Malware authors constantly develop new techniques in order to evade analysis systems. Previous works addressed attempts to evade analysis by means of anti-sandboxing and anti-virtualization techniques, for example proposing to run samples on bare-metal. However, state-of the- art bare-metal tools fail to provide richness and completeness in the results of the analysis. In this context, Dynamic Binary Instrumentation (DBI) tools have become popular in the analysis of new malware samples because of the deep control they guarantee over the instrumented binary. As a consequence, malware authors developed new techniques, called anti-instrumentation, aimed at detecting if a sample is being instrumented. We propose a practical approach to make DBI frameworks more stealthy and resilient against anti-instrumentation attacks. We studied the common techniques used by malware to detect the presence of a DBI tool, and we proposed a set of countermeasures to address them. We implemented our approach in Arancino, on top of the Intel Pin framework. Armed with it, we perform the first large-scale measurement of the anti-instrumentation techniques employed by modern malware. Finally, we leveraged our tool to implement a generic unpacker, showing some case studies of the anti-instrumentation techniques used by known packers.

Original language	English
Title of host publication	Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017
Editors	Michalis Polychronakis, Michael Meier
Publisher	Springer
Pages	73-96
Number of pages	24
ISBN (Electronic)	978-3-319-60876-1
ISBN (Print)	978-3-319-60875-4
DOIs	https://doi.org/10.1007/978-3-319-60876-1_4
Publication status	Published - 1 Jan 2017
Externally published	Yes
Event	14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017 - Bonn, Germany Duration: 6 Jul 2017 → 7 Jul 2017 Conference number: 14

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10327 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017
Abbreviated title	DIMVA 2017
Country/Territory	Germany
City	Bonn
Period	6/07/17 → 7/07/17

Access to Document

10.1007/978-3-319-60876-1_4

Cite this

Polino, M., Continella, A., Mariani, S., D’Alessio, S., Fontana, L., Gritti, F., & Zanero, S. (2017). Measuring and defeating anti-instrumentation-equipped malware. In M. Polychronakis, & M. Meier (Eds.), Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017 (pp. 73-96). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10327 LNCS). Springer. https://doi.org/10.1007/978-3-319-60876-1_4

Polino, Mario ; Continella, Andrea ; Mariani, Sebastiano et al. / Measuring and defeating anti-instrumentation-equipped malware. Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. editor / Michalis Polychronakis ; Michael Meier. Springer, 2017. pp. 73-96 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{1ad5918151ad405b87a0469e267eac06,

title = "Measuring and defeating anti-instrumentation-equipped malware",

abstract = "Malware authors constantly develop new techniques in order to evade analysis systems. Previous works addressed attempts to evade analysis by means of anti-sandboxing and anti-virtualization techniques, for example proposing to run samples on bare-metal. However, state-of the- art bare-metal tools fail to provide richness and completeness in the results of the analysis. In this context, Dynamic Binary Instrumentation (DBI) tools have become popular in the analysis of new malware samples because of the deep control they guarantee over the instrumented binary. As a consequence, malware authors developed new techniques, called anti-instrumentation, aimed at detecting if a sample is being instrumented. We propose a practical approach to make DBI frameworks more stealthy and resilient against anti-instrumentation attacks. We studied the common techniques used by malware to detect the presence of a DBI tool, and we proposed a set of countermeasures to address them. We implemented our approach in Arancino, on top of the Intel Pin framework. Armed with it, we perform the first large-scale measurement of the anti-instrumentation techniques employed by modern malware. Finally, we leveraged our tool to implement a generic unpacker, showing some case studies of the anti-instrumentation techniques used by known packers.",

author = "Mario Polino and Andrea Continella and Sebastiano Mariani and Stefano D{\textquoteright}Alessio and Lorenzo Fontana and Fabio Gritti and Stefano Zanero",

year = "2017",

month = jan,

day = "1",

doi = "10.1007/978-3-319-60876-1_4",

language = "English",

isbn = "978-3-319-60875-4",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "73--96",

editor = "Michalis Polychronakis and Michael Meier",

booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017",

address = "Germany",

note = "14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017, DIMVA 2017 ; Conference date: 06-07-2017 Through 07-07-2017",

}

Polino, M, Continella, A, Mariani, S, D’Alessio, S, Fontana, L, Gritti, F & Zanero, S 2017, Measuring and defeating anti-instrumentation-equipped malware. in M Polychronakis & M Meier (eds), Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10327 LNCS, Springer, pp. 73-96, 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017, Bonn, Germany, 6/07/17. https://doi.org/10.1007/978-3-319-60876-1_4

Measuring and defeating anti-instrumentation-equipped malware. / Polino, Mario; Continella, Andrea; Mariani, Sebastiano et al.
Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. ed. / Michalis Polychronakis; Michael Meier. Springer, 2017. p. 73-96 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10327 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Measuring and defeating anti-instrumentation-equipped malware

AU - Polino, Mario

AU - Continella, Andrea

AU - Mariani, Sebastiano

AU - D’Alessio, Stefano

AU - Fontana, Lorenzo

AU - Gritti, Fabio

AU - Zanero, Stefano

N1 - Conference code: 14

PY - 2017/1/1

Y1 - 2017/1/1

N2 - Malware authors constantly develop new techniques in order to evade analysis systems. Previous works addressed attempts to evade analysis by means of anti-sandboxing and anti-virtualization techniques, for example proposing to run samples on bare-metal. However, state-of the- art bare-metal tools fail to provide richness and completeness in the results of the analysis. In this context, Dynamic Binary Instrumentation (DBI) tools have become popular in the analysis of new malware samples because of the deep control they guarantee over the instrumented binary. As a consequence, malware authors developed new techniques, called anti-instrumentation, aimed at detecting if a sample is being instrumented. We propose a practical approach to make DBI frameworks more stealthy and resilient against anti-instrumentation attacks. We studied the common techniques used by malware to detect the presence of a DBI tool, and we proposed a set of countermeasures to address them. We implemented our approach in Arancino, on top of the Intel Pin framework. Armed with it, we perform the first large-scale measurement of the anti-instrumentation techniques employed by modern malware. Finally, we leveraged our tool to implement a generic unpacker, showing some case studies of the anti-instrumentation techniques used by known packers.

AB - Malware authors constantly develop new techniques in order to evade analysis systems. Previous works addressed attempts to evade analysis by means of anti-sandboxing and anti-virtualization techniques, for example proposing to run samples on bare-metal. However, state-of the- art bare-metal tools fail to provide richness and completeness in the results of the analysis. In this context, Dynamic Binary Instrumentation (DBI) tools have become popular in the analysis of new malware samples because of the deep control they guarantee over the instrumented binary. As a consequence, malware authors developed new techniques, called anti-instrumentation, aimed at detecting if a sample is being instrumented. We propose a practical approach to make DBI frameworks more stealthy and resilient against anti-instrumentation attacks. We studied the common techniques used by malware to detect the presence of a DBI tool, and we proposed a set of countermeasures to address them. We implemented our approach in Arancino, on top of the Intel Pin framework. Armed with it, we perform the first large-scale measurement of the anti-instrumentation techniques employed by modern malware. Finally, we leveraged our tool to implement a generic unpacker, showing some case studies of the anti-instrumentation techniques used by known packers.

UR - http://www.scopus.com/inward/record.url?scp=85022326489&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-60876-1_4

DO - 10.1007/978-3-319-60876-1_4

M3 - Conference contribution

AN - SCOPUS:85022326489

SN - 978-3-319-60875-4

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 73

EP - 96

BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017

A2 - Polychronakis, Michalis

A2 - Meier, Michael

PB - Springer

T2 - 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017

Y2 - 6 July 2017 through 7 July 2017

ER -

Polino M, Continella A, Mariani S, D’Alessio S, Fontana L, Gritti F et al. Measuring and defeating anti-instrumentation-equipped malware. In Polychronakis M, Meier M, editors, Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. Springer. 2017. p. 73-96. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-60876-1_4

Measuring and defeating anti-instrumentation-equipped malware

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this