Static malware detection with Segmented Sandboxing

Abstract

Traditionally, dynamic detection approaches to Malware identification are commended for their simplicity and small sized signature database. In practice they suffer from two major defects. First, Malware might need to be emulated for a long time before traces of harmful behavior are first exhibited. Second, a few Anti-VM techniques are widely known and can be easily employed by any program to thwart the attempt of having it executed in a sandbox and observe its original behavior, rendering the approach less than effective. On the other hand, static detection approaches, have their own limitations, ranging from parsing obfuscated executables to the scalability issues due to the ever-increasing size of the signature database. Fundamentally, in the last 10-15 years polymorphic and metamorphic obfuscation techniques have become prevalent making static approaches less than effective due to the sheer magnitude of the sample set1. While the benefits of either dynamic or static approaches look quite tempting from each of their counterparts perspectives, their weakness are daunting in their own sight as well. In this manuscript we attempted to combine the best part of both worlds, without bringing in the disadvantage of either of them. We call this mixed approach “Segmented Sandboxing”.