Abstract
A critical challenge when combating malware threat is how to efficiently and effectively identify the targeted victim’s environment, given an unknown malware sample. Unfortunately, existing malware analysis techniques either use a limited, fixed set of analysis environments (not effective) or employ expensive, time-consuming multi-path exploration (not efficient), making them not well-suited to solve this challenge. As such, this paper proposes a new dynamic analysis scheme to deal with this problem by applying the concept of speculative execution in this new context. Specifically, by providing multiple dynamically created, parallel, and virtual environment spaces, we speculatively execute a malware sample and adaptively switch to the right environment during the analysis. Interestingly, while our approach appears to trade space for speed, we show that it can actually use less memory space and achieve much higher speed than existing schemes. We have implemented a prototype system, GoldenEye, and evaluated it with a large real-world malware dataset. The experimental results show that GoldenEye outperforms existing solutions and can effectively and efficiently expose malware’s targeted environment, thereby speeding up the analysis in the critical battle against the emerging targeted malware threat.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Anubis: Analyzing unknown binaries, http://anubis.iseclab.org/
Bifrost, http://www.symantec.com/security_response/writeup.jsp?docid=2004-101214-5358-99
Disassembler library for x86/amd64, http://code.google.com/p/distorm/
Duqu, http://www.kaspersky.com/about/press/major_malware_outbreaks/duqu
DynamoRIO, http://dynamorio.org/
Koobface, http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99&tabid=2
NuclearRAT, http://en.wikipedia.org/wiki/Nuclear_RAT
Offensive Computing, http://www.offensivecomputing.net/
Qakbot, http://www.symantec.com/connect/blogs/w32qakbot-under-surface
Sality, http://www.symantec.com/security_response/writeup.jsp?docid=2006-011714-3948-99
Stuxnet, http://en.wikipedia.org/wiki/Stuxnet
Symantec intelligence quarterly, http://www.symantec.com/threatreport/quarterly.jsp
Symantec: Triage analysis of targeted attacks, http://www.symantec.com/threatreport/topic.jsp?id=malicious_code_trend
The Nitro Attacks: Stealing Secrets from the Chemical Industry, http://www.symantec.com/security_response/whitepapers.jsp
Trends in targeted attacks, http://www.trendmicro.com/cloud-content/us
Trojan BackDoor.Flashback, http://en.wikipedia.org/wiki/Trojan_BackDoor.Flashback
Trojan.Neloweg, http://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-4221-99
Virustotal, https://www.virustotal.com/
Zeus Trojan horse, http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99
Avgerinos, T., Schwartz, E., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proc. of IEEE S&P 2010 (2010)
Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in malware. In: Proc of NDSS 2010 (2010)
Bilge, L., Dumitras, T.: Before we knew it: An empirical study of zero-day attacks in the real world. In: Proc. of CCS 2012 (2012)
Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Poosankam, P., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Analysis and Defense. AIS, vol. 36, pp. 65–88. Springer, Heidelberg (2008)
Brumley, D., Jager, I., Avgerinos, T., Schwartz, E.J.: BAP: A binary analysis platform. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 463–469. Springer, Heidelberg (2011)
Royal, P., Song, C., Lee, W.: Impeding automated malware analysis with environment-sensitive malware. In: Proc. of HotSec 20 12 (2012)
Chen, X., Andersen, J., Mao, M., Bailey, M., Nazario, J.: Towards an Understanding of Anti-Virtualization and Anti-Debugging Behavior in Modern Malware. In: Proc. of DSN 2008 (2008)
Comparetti, P.M., Salvaneschi, G., Kirda, E., Kolbitsch, C., Krugel, C., Zanero, S.: Identifying dormant functionality in malware programs. In: Proc. of S&P 2010 (2010)
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware analysis via hardware virtualization extensions. In: Proc of CCS 2008 (2008)
Gonzlez, J., Gonzlez, A.: Speculative execution via address prediction and data prefetching. In: Proc. of ICS 1197 (1997)
Graziano, M., Leita, C., Balzarotti, D.: Towards network containment in malware analysis systems. In: Proc. of ACSAC 2012 (December 2012)
Kolbitsch, C., Milani Comparetti, P., Kruegel, C., Kirda, E., Zhou, X., Wang, X.: Effective and efficient malware detection at the end host. In: Proc. of USENIX Security 2009 (2009)
Kolbitsch, C., Kirda, E., Kruegel, C.: The power of procrastination: Detection and mitigation of execution-stalling malicious code. In: Proc. of CCS 2011 (2011)
Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-cloaking internet malware. In: Proc. of S&P 2012 (2012)
Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting Environment-Sensitive Malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011)
Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: Proc. of S&P 2007 (2007)
Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Proc. of ACSAC 2007 (2007)
Nadji, Y., Antonakakis, M., Perdisci, R., Lee, W.: Understanding the Prevalence and Use of Alternative Plans in Malware with Network Games. In: Proc. of ACSAC 2011 (2011)
Nappa, A., Xu, Z., Rafique, M.Z., Caballero, J., Gu, G.: Cyberprobe: Towards internet-scale active detection of alicious servers. In: Proc. of NDSS 2014 (2014)
Neugschwandtner, M., Comparetti, P.M., Platzer, C.: Detecting Malware’s Failover C&C Strategies with SQUEEZE. In: Proc. of ACSAC 2011 (2011)
Peng, F., Deng, Z., Zhang, X., Xu, D., Lin, Z., Su, Z.: X-force: Force-executing binary programs for security applications. In: Proceedings of the 2014 USENIX Security Symposium, San Diego, CA (August 2014)
Porras, P., Saidi, H., Yegneswaran, V.: An Analysis of Conficker’s Logic and Rendezvous Points (2009), http://mtc.sri.com/Conficker/
Shin, S., Xu, Z., Gu, G.: Effort: Efficient and effective bot malware detection. In: Proc. of INFOCOM 2012 Mini-Conference (2012)
Sikorski, M.: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software (2012) (No Starch Press)
Wilhelm, J., Chiueh, T.-c.: A forced sampled execution approach to kernel rootkit identification. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 219–235. Springer, Heidelberg (2007)
Xu, Z., Chen, L., Gu, G., Kruegel, C.: PeerPress: Utilizing enemies’ p2p strength against them. In: Proc.of CCS 2012 (2012)
Xu, Z., Zhang, J., Gu, G., Lin, Z.: AUTOVAC: Towards automatically extracting system resource constraints and generating vaccines for malware immunization. In: Proc. of ICDCS 2013 (2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Xu, Z., Zhang, J., Gu, G., Lin, Z. (2014). GoldenEye: Efficiently and Effectively Unveiling Malware’s Targeted Environment. In: Stavrou, A., Bos, H., Portokalidis, G. (eds) Research in Attacks, Intrusions and Defenses. RAID 2014. Lecture Notes in Computer Science, vol 8688. Springer, Cham. https://doi.org/10.1007/978-3-319-11379-1_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-11379-1_2
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11378-4
Online ISBN: 978-3-319-11379-1
eBook Packages: Computer ScienceComputer Science (R0)