TWC: Small: Combating Environment-aware Malware

TWC：小型：打击环境感知恶意软件

• 批准号: 1617902
• 负责人: Michail Polychronakis
• 金额: $ 49.8万
• 依托单位: SUNY at Stony Brook
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-09-01 至 2020-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1617902&HistoricalAwards=false
• 关键词: TWC; Small; Combating; Environment; aware

Tools for dynamic detection of malicious software ("malware"), such as antivirus software, often create a protected "analysis environment" (or "sandbox") in which to test suspicious software without risk to the computer system. Malware authors have responded by developing environment-awareness techniques, to enable their malware to recognize and behave differently in a sandbox environment, thereby evading detection. Authors of defense software are endeavoring to ensure that analysis environments exhibit realistic characteristics. This project focuses on examining "wear-and-tear" or "aging" artifacts, whose absence could enable malware to distinguish a pristine, new analysis environment from a real environment that has been seen normal use.This project is assessing the potential for a new class of environment-aware malware that exploits usage-related artifacts that inevitably occur on real systems as a result of normal use, and which are absent in existing malware analysis environments. The project is first investigating techniques for recognizing artifacts related to past user activity and studying how malware might query or probe to acquire such information. Second, the researchers are evaluating the effectiveness of these techniques against current dynamic malware analysis systems and how such defense systems might detect that queries or probes of environmental information indicate the presence of malware. Finally, the project is studying whether artificially created "wear and tear" artifacts might be injected into analysis environments to counter next-generation, environment-aware malware.

动态检测恶意软件（“恶意软件”）的工具，例如杀毒软件，通常会创建一个受保护的“分析环境”（或“沙盒”），在其中测试可疑软件而不会对计算机系统造成风险。恶意软件作者通过开发环境感知技术来应对，使他们的恶意软件能够在沙盒环境中识别和表现不同，从而逃避检测。防御软件的作者正在努力确保分析环境表现出现实的特征。该项目关注于检查“磨损”或“老化”的工件，这些工件的缺失可能使恶意软件能够将原始的、新的分析环境与正常使用的真实环境区分开来。该项目正在评估一种新型环境感知恶意软件的潜力，这种恶意软件利用与使用相关的工件，这些工件由于正常使用而不可避免地出现在实际系统中，并且在现有的恶意软件分析环境中不存在。该项目首先研究识别与过去用户活动相关的工件的技术，并研究恶意软件如何查询或探测以获取此类信息。其次，研究人员正在评估这些技术对当前动态恶意软件分析系统的有效性，以及这些防御系统如何检测环境信息的查询或探测表明恶意软件的存在。最后，该项目正在研究人工制造的“磨损”工件是否可以注入分析环境中，以对抗下一代环境感知恶意软件。

项目成果

Now You See It, Now You Don't: A Large-scale Analysis of Early Domain Deletions

现在你看到了，现在你没有：对早期域删除的大规模分析

• 发表时间: 2019
• 期刊: Intrusions and Defenses (RAID
• 作者: Barron, Timothy;Miramirkhani, Najmeh;Nikiforakis, Nick
• 通讯作者: Nikiforakis, Nick

Purchased Fame: Exploring the Ecosystem of Private Blog Networks

• DOI: 10.1145/3321705.3329830
• 发表时间: 2019-07
• 期刊: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security
• 作者: Tom van Goethem;N. Miramirkhani;W. Joosen;Nick Nikiforakis