Addressing Evasive Malware

解决规避恶意软件问题

• 批准号: 2107021
• 金额: --
• 依托单位: Royal Holloway University of London
• 依托单位国家: 英国
• 项目类别: Studentship
• 财政年份: 2018
• 资助国家: 英国
• 起止时间: 2018 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=studentship-2107021
• 关键词: Addressing; Evasive; Malware

The main areas of interest of this research is addressing malware that can detect virtual sandbox environments so that they can avoid analysis environments. An example of a simple sandbox evasion mechanism is the WannaCry malware which uses a DNS query. This malware was shut down by registering the correct domain and responding in the correct manner. This method worked because sandboxes often respond to DNS queries giving the appearance of a target device being online. The malware author had knowledge of this and programmed WannaCry to shut down when a response to an unregistered domain was received. Malware analysis through sandboxes focus on trying to mirror physical systems so that they appear transparent to the sample program being tested. In practice, this has proved difficult to achieve with malware authors programming their software to look for indicators that an environment is virtual. Historically it has been shown that there is a pattern of malware authors quickly finding solutions to engineering attempts to hide a sandbox environment from the malware. This leads to an endless game of "cat and mouse|, with security engineers having to respond to malware authors new ways of detecting a sandbox environment. A common approach is to reconfigure the sandbox environment to make it seem more like a physical environment, but this is not without its issues because some of the changes can lead to incompatibility between the test environment and the subject programmes.The research undertaken in this PhD will seek to detect the malware's sandbox detection mechanisms and turn the malware authors' techniques of environmental analysis against them. These methods include looking at the sum of the activities that a sample performs whilst it is trying to learn about its environment when it is first executed. Some examples are: capturing the network traffic generated by the sample on execution, using hooks to look at system calls made by the malware, looking at the number of NOPs that a malware may generate and looking at differential behaviour analysis i.e. if a detection mechanism is removed, does the sample become more active. The reason for focussing on when a sample is first executed is that there is typically some active interrogation before the malware activates its payload or is programmed to stay dormant and evade analysis. This can be considered a form of 'noise' that the malware makes when it is analysing the environment in the first instance and this is what the project will be targeting.Machine learning or possibly bame theory will be explored to see if it is possible to model these malware interactions in order to classify the software sample on a scale which can indicate to security analysts that further investigation in a physical environment is required. The reason an adaptive approach is required rather than an absolute approach is because sometimes interrogation of an environment by a program is considered normal behaviour. It is possible that a combination of these interactions will point to a sample looking to evade analysis in a sandbox

这项研究的主要兴趣领域是解决可以检测虚拟沙箱环境的恶意软件，以便它们可以避开分析环境。一个简单的沙箱规避机制的例子是使用DNS查询的WannaCry恶意软件。该恶意软件通过注册正确的域并以正确的方式响应而关闭。这种方法之所以有效，是因为沙箱经常响应DNS查询，使目标设备看起来在线。恶意软件作者知道这一点，并编程WannaCry在收到未注册域名的响应时关闭。通过沙箱进行的恶意软件分析侧重于尝试镜像物理系统，以便它们对正在测试的示例程序透明。在实践中，这已被证明是难以实现的恶意软件作者编程他们的软件来寻找环境是虚拟的指标。从历史上看，恶意软件作者有一种模式，可以快速找到解决方案，以工程化的方式试图隐藏恶意软件的沙箱环境。这导致了一场无休止的“猫捉老鼠”游戏|，安全工程师必须响应恶意软件作者检测沙箱环境的新方法。一种常见的方法是重新配置沙箱环境，使其看起来更像一个物理环境，但这并不是没有问题，因为一些变化可能会导致测试环境和主题程序之间的不兼容性。在这个博士学位进行的研究将寻求检测恶意软件的沙箱检测机制，并将恶意软件作者的环境分析技术针对他们。这些方法包括查看样本在第一次执行时尝试了解其环境时执行的活动的总和。以下是一些示例：捕获由执行时的样本生成的网络流量，使用钩子来查看由恶意软件进行的系统调用，查看恶意软件可能生成的NOP的数量，以及查看差异行为分析，即，如果检测机制被移除，则样本是否变得更活跃。关注样本首次执行时间的原因是，在恶意软件激活其有效载荷或被编程为保持休眠并逃避分析之前，通常会有一些主动询问。这可以被认为是恶意软件在第一时间分析环境时发出的一种“噪音”，这就是该项目的目标。机器学习或可能的bame理论将被探索，看看是否有可能对这些恶意软件交互进行建模，以便在一定程度上对软件样本进行分类，这可以向安全分析师表明，在物理环境中进行进一步调查是可行的。必需的.之所以需要自适应方法而不是绝对方法，是因为有时程序对环境的询问被认为是正常行为。这些交互作用的组合可能会指向一个试图逃避沙箱分析的样本