Automated dynamic malware analysis is a common approach for detecting malicious software. However, many malware samples identify the presence of the analysis environment and evade detection by not performing any malicious activity. Recently, an approach to the automated detection of such evasive malware was proposed. In this approach, a malware sample is analyzed in multiple analysis environments, including a bare-metal environment, and its various behaviors are compared. Malware whose behavior deviates substantially is identified as evasive malware. However, a malware analyst still needs to re-analyze the identified evasive sample to understand the technique used for evasion. Different tools are available to help malware analysts in this process. However, these tools in practice require considerable manual input along with auxiliary information. This manual process is resource-intensive and not scalable. In this paper, we present MalGene, an automated technique for extracting analysis evasion signatures. MalGene leverages algorithms borrowed from bioinformatics to automatically locate evasive behavior in system call sequences. Data flow analysis and data mining techniques are used to identify call events and data comparison events used to perform the evasion. These events are used to construct a succinct evasion signature, which can be used by an analyst to quickly understand evasions. Finally, evasive malware samples are clustered based on their underlying evasive techniques. We evaluated our techniques on 2810 evasive samples. We were able to automatically extract their analysis evasion signatures and group them into 78 similar evasion techniques.
@inproceedings{Kirat2015MalGene_Automatic, title = {{MalGene: Automatic Extraction of Malware Analysis Evasion Signature}}, author = {Kirat, Dhilung and Vigna, Giovanni}, booktitle = {Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security}, series = {CCS '15}, year = {2015}, address = {New York, NY, USA}, doi = {10.1145/2810103.2813642}, isbn = {978-1-4503-3832-5}, pages = {769--780}, publisher = {ACM}, url = {https://doi.org/10.1145/2810103.2813642} }