The proliferation of malware is a significant and ongoing issue on a global scale. The increased focus on financial gain by malware developers, combined with the rapid digitization of businesses, has created a new avenue for cybercriminals. In response to this threat, antimalware software was developed in the late 80s and early 90s, and it is one of the most used methods against this threat still today. All of these products perform the so-called signature-based analysis to compare known malicious files in a database to those being scanned. While effective against known malware, signature-based analysis is insufficient against unknown or more sophisticated malware, leading to the development of techniques for observing the behavior of the program without harming the system. The inclusion in antimalware softwares of sandboxes or virtualized environments, both in local or in remote, has allowed antimalware software to run malware safely while providing valuable information about its behavior. However, these environments often leave artifacts that can be used by malware to detect if it is being executed in a virtual environment, leading the attackers to strengthen their malware and develop what are known as evasive techniques, techniques that are used to avoid detection before executing the malicious payload. To combat this, antimalware vendors are implementing anti-evasion techniques to detect and nullify evasion attempts. In this thesis, we analyze how common is for a free antimalware solution to offer this kind of analysis and their efficacy in defeating evasion attempts. To obtain this result, we tested more than 130 evasive techniques used in a previous work about public sandboxes and debuggers. To test this thesis, we used and modified to our purpose that same tool that allows us to apply these techniques to a malware sample at choice, in this way we can analyze directly the effectiveness of each technique against these products. Our results show how many free antimalwares offer a behavioral analysis in a virtualized environment or in a sandbox, the current strength of free antimalware solutions in detecting evasion attempts and how different evasive techniques are more useful than others against such products.
La rapida diffusione dei malware è un problema significativo e ancora in corso a livello globale. L'incremento del focus sul guadagno da parte degli sviluppatori di malware, combinato con la rapida digitalizzazione delle imprese, ha creato una nuova opportunità per i criminali informatici. In risposta a questa minaccia, sono nati i software antimalware tra la fine degli anni '80 e l'inizio degli anni '90, ed è ancora oggi uno dei metodi più utilizzati contro questa minaccia. Tutti questi prodotti eseguono la cosiddetta signature-based analysis che consiste nel confrontare i file malevoli noti all'interno di un database con quelli che si stanno scansionando. Sebbene efficace contro malware noti, l'analisi basata sulla firma fallisce contro malware sconosciuti o più complessi, rendendo necessario lo sviluppo di tecniche per osservare il comportamento del programma senza danneggiare il sistema. L'aggiunta di sandbox o ambienti virtualizzati nei software antimalware, sia in locale che in remoto, permette agli stessi di poter eseguire il malware in sicurezza fornendo allo stesso tempo informazioni preziose sul suo comportamento. Tuttavia, questi ambienti spesso lasciano degli artefatti che possono essere utilizzati dal malware per rilevare se è in esecuzione su un ambiente virtuale, portando gli attaccanti a migliorare i propri malware e sviluppare le cosiddette tecniche evasive, tecniche utilizzate per evitare di essere rilevati prima dell'esecuzione del payload dannoso. Per contrastare questo fenomeno, i produttori di antimalware a loro volta implementano tecniche anti-evasione per rilevare e annullare i tentativi di evadere l'analisi. In questa tesi, vogliamo analizzare quanto sia comune per un prodotto antimalware gratuito offrire questo tipo di analisi e la loro efficacia nel contrastare i tentativi di evasione. Per ottenere questo risultato, abbiamo testato più di 130 tecniche evasive utilizzate in un lavoro precedente su sandbox e debugger pubblici, utilizzando e modificando per il nostro scopo lo stesso tool che ci consente di applicare queste tecniche a un qualsiasi malware di nostra scelta, in questo modo possiamo analizzare direttamente l'efficacia di ciascuna tecnica contro questi prodotti. I nostri risultati mostrano quanti antimalware gratuiti offrono un'analisi di tipo comportamentale in un ambiente virtualizzato o in una sandbox, l'efficacia delle soluzioni antimalware gratuite nell'individuare tentativi di evasione da parte dei malware e come diverse tecniche evasive siano più utili di altre contro tali prodotti.
Analysis of evasive behavior against a sandbox
MORABITO, NICHOLAS
2022/2023
Abstract
The proliferation of malware is a significant and ongoing issue on a global scale. The increased focus on financial gain by malware developers, combined with the rapid digitization of businesses, has created a new avenue for cybercriminals. In response to this threat, antimalware software was developed in the late 80s and early 90s, and it is one of the most used methods against this threat still today. All of these products perform the so-called signature-based analysis to compare known malicious files in a database to those being scanned. While effective against known malware, signature-based analysis is insufficient against unknown or more sophisticated malware, leading to the development of techniques for observing the behavior of the program without harming the system. The inclusion in antimalware softwares of sandboxes or virtualized environments, both in local or in remote, has allowed antimalware software to run malware safely while providing valuable information about its behavior. However, these environments often leave artifacts that can be used by malware to detect if it is being executed in a virtual environment, leading the attackers to strengthen their malware and develop what are known as evasive techniques, techniques that are used to avoid detection before executing the malicious payload. To combat this, antimalware vendors are implementing anti-evasion techniques to detect and nullify evasion attempts. In this thesis, we analyze how common is for a free antimalware solution to offer this kind of analysis and their efficacy in defeating evasion attempts. To obtain this result, we tested more than 130 evasive techniques used in a previous work about public sandboxes and debuggers. To test this thesis, we used and modified to our purpose that same tool that allows us to apply these techniques to a malware sample at choice, in this way we can analyze directly the effectiveness of each technique against these products. Our results show how many free antimalwares offer a behavioral analysis in a virtualized environment or in a sandbox, the current strength of free antimalware solutions in detecting evasion attempts and how different evasive techniques are more useful than others against such products.| File | Dimensione | Formato | |
|---|---|---|---|
|
Tesi_Nicholas Morabito_Analysis of Evasive Behavior.pdf
accessibile in internet solo dagli utenti autorizzati
Dimensione
2.57 MB
Formato
Adobe PDF
|
2.57 MB | Adobe PDF | Visualizza/Apri |
I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/10589/208278