UCL Discovery
UCL home » Library Services » Electronic resources » UCL Discovery

On the Dissection of Evasive Malware

D'Elia, DC; Coppa, E; Palmaro, F; Cavallaro, L; (2020) On the Dissection of Evasive Malware. IEEE Transactions on Information Forensics and Security , 15 pp. 2750-2765. 10.1109/TIFS.2020.2976559. Green open access

[thumbnail of tifs20.pdf]
tifs20.pdf - Accepted version

Download (2MB) | Preview


Complex malware samples feature measures to impede automatic and manual analyses, making their investigation cumbersome. While automatic characterization of malware benefits from recently proposed designs for passive monitoring, the subsequent dissection process still sees human analysts struggling with adversarial behaviors, many of which also closely resemble those studied for automatic systems. This gap affects the day-to-day analysis of complex samples and researchers have not yet attempted to bridge it. We make a first step down this road by proposing a design that can reconcile transparency requirements with manipulation capabilities required for dissection. Our open-source prototype BluePill (i) offers a customizable execution environment that remains stealthy when analysts intervene to alter instructions and data or run third-party tools, (ii) is extensible to counteract newly encountered anti-analysis measures using insights from the dissection, and (iii) can accommodate program analyses that aid analysts, as we explore for taint analysis. On a set of highly evasive samples BluePill resulted as stealthy as commercial sandboxes while offering new intervention and customization capabilities for dissection.

Type: Article
Title: On the Dissection of Evasive Malware
Open access status: An open access version is available from UCL Discovery
DOI: 10.1109/TIFS.2020.2976559
Publisher version: https://doi.org/10.1109/TIFS.2020.2976559
Language: English
Additional information: This version is the author accepted manuscript. For information on re-use, please refer to the publisher's terms and conditions.
Keywords: Malware analysis, evasion, dissection, red pill, dynamic binary instrumentation, reverse engineering, sandbox
UCL classification: UCL
UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science
URI: https://discovery.ucl.ac.uk/id/eprint/10133173
Downloads since deposit
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item