Enviral: Fuzzing the Environment for Evasive Malware Analysis

Autor: Floris Gorter, Cristiano Giuffrida, Erik Van Der Kouwe
Přispěvatelé: Computer Systems, Network Institute, Systems and Network Security
Rok vydání: 2023
Předmět:
Zdroj: EUROSEC 2023: Proceedings of the 2023 European Workshop on System Security, 8-14
STARTPAGE=8;ENDPAGE=14;TITLE=EUROSEC 2023
Gorter, F, Giuffrida, C & van der Kouwe, E 2023, Enviral: Fuzzing the Environment for Evasive Malware Analysis . in EUROSEC 2023 : Proceedings of the 2023 European Workshop on System Security . Association for Computing Machinery, Inc, pp. 8-14, 16th European Workshop on Systems Security, EUROSEC 2023, Rome, Italy, 8/05/23 . https://doi.org/10.1145/3578357.3589455
DOI: 10.1145/3578357.3589455
Popis: Analyzing malicious behavior is vital to effectively safeguard computer systems against malware. However, contemporary malware frequently contains evasive behavior, which allows it to hide its malicious intent from analysis. More specifically, if the malware detects it is being executed in an analysis environment, it resorts to evasive routines that exhibit benign behavior. Manually deactivating evasive checks requires significant effort, and is therefore not a scalable technique with regards to the increasing amount of evasive malware. Unfortunately, the existing systems that automatically analyze evasive malware are impractical, computationally inefficient, or incomplete by design. In this paper, we introduce Enviral, an automatic evasive malware analysis framework that proposes a novel method to analyze evasive malware, combining the best elements of existing approaches. We achieve this by applying fuzzing techniques to repeatedly adapt the view of the execution environment, thereby iteratively defeating the evasive checks in the target application. We realize these adaptations by applying mutations to the outcomes of environment queries, which in turn leads to the exploration of multiple execution paths. Our experimental results demonstrate that Enviral can detect and overcome evasive behavior and thereby exposes previously hidden activity in malware. We evaluate our system against a similar framework, and conclude that Enviral can expose 39% more interesting hidden system call activity on average, and achieves productive explorations where previously unseen behavior is discovered in 67% more malware samples.
Databáze: OpenAIRE