Alvaro Botas, R. Rodríguez, Vicente Matellán Olivera, Juan Felipe García Sierra, M. T. Trobajo, M. Carriegos
{"title":"公共恶意软件分析服务的指纹识别研究","authors":"Alvaro Botas, R. Rodríguez, Vicente Matellán Olivera, Juan Felipe García Sierra, M. T. Trobajo, M. Carriegos","doi":"10.1093/jigpal/jzz050","DOIUrl":null,"url":null,"abstract":"\n Automatic public malware analysis services (PMAS, e.g. VirusTotal, Jotti or ClamAV, to name a few) provide controlled, isolated and virtual environments to analyse malicious software (malware) samples. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment; when an analysis environment is detected, malware behaves as a benign application or even shows no activity. In this work, we present an empirical study and characterization of automatic PMAS, considering 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments; the lower the unlikeability of these features, the easier for us (and thus for malware) to fingerprint the analysis service they belong to. Finally, we propose a method for these analysis services to counter or at least mitigate our proposal.","PeriodicalId":304915,"journal":{"name":"Log. J. IGPL","volume":"27 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"On Fingerprinting of Public Malware Analysis Services\",\"authors\":\"Alvaro Botas, R. Rodríguez, Vicente Matellán Olivera, Juan Felipe García Sierra, M. T. Trobajo, M. Carriegos\",\"doi\":\"10.1093/jigpal/jzz050\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"\\n Automatic public malware analysis services (PMAS, e.g. VirusTotal, Jotti or ClamAV, to name a few) provide controlled, isolated and virtual environments to analyse malicious software (malware) samples. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment; when an analysis environment is detected, malware behaves as a benign application or even shows no activity. In this work, we present an empirical study and characterization of automatic PMAS, considering 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments; the lower the unlikeability of these features, the easier for us (and thus for malware) to fingerprint the analysis service they belong to. Finally, we propose a method for these analysis services to counter or at least mitigate our proposal.\",\"PeriodicalId\":304915,\"journal\":{\"name\":\"Log. J. IGPL\",\"volume\":\"27 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-12-07\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Log. J. IGPL\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1093/jigpal/jzz050\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Log. J. IGPL","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1093/jigpal/jzz050","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
On Fingerprinting of Public Malware Analysis Services
Automatic public malware analysis services (PMAS, e.g. VirusTotal, Jotti or ClamAV, to name a few) provide controlled, isolated and virtual environments to analyse malicious software (malware) samples. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment; when an analysis environment is detected, malware behaves as a benign application or even shows no activity. In this work, we present an empirical study and characterization of automatic PMAS, considering 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments; the lower the unlikeability of these features, the easier for us (and thus for malware) to fingerprint the analysis service they belong to. Finally, we propose a method for these analysis services to counter or at least mitigate our proposal.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
