Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware

Xu Chen; Jon Andersen; Z. Morley Mao; Michael Bailey; Jose Nazario

doi:10.1109/DSN.2008.4630086

Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware

Xu Chen, Jon Andersen, Z. Morley Mao, Michael Bailey, Jose Nazario

Research output: Contribution to conference › Paper

Abstract

Many threats that plague today's networks (e.g., phishing, botnets, denial of service attacks) are enabled by a complex ecosystem of attack programs commonly called malware. To combat these threats, defenders of these networks have turned to the collection, analysis, and reverse engineering of malware as mechanisms to understand these programs, generate signatures, and facilitate cleanup of infected hosts. Recently however, new malware instances have emerged with the capability to check and often thwart these defensive activities - essentially leaving defenders blind to their activities. To combat this emerging threat, we have undertaken a robust analysis of current malware and developed a detailed taxonomy of malware defender fingerprinting methods. We demonstrate the utility of this taxonomy by using it to characterize the prevalence of these avoidance methods, to generate a novel fingerprinting method that can assist malware propagation, and to create an effective new technique to protect production systems.

Original language	English (US)
Pages	177-186
Number of pages	10
DOIs	https://doi.org/10.1109/DSN.2008.4630086
State	Published - Oct 13 2008
Externally published	Yes
Event	2008 International Conference on Dependable Systems and Networks, DSN-2008 - Anchorage, AK, United States Duration: Jun 24 2008 → Jun 27 2008

Other

Other	2008 International Conference on Dependable Systems and Networks, DSN-2008
Country	United States
City	Anchorage, AK
Period	6/24/08 → 6/27/08

ASJC Scopus subject areas

Software
Hardware and Architecture
Computer Networks and Communications

Access to Document

10.1109/DSN.2008.4630086

Fingerprint Dive into the research topics of 'Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware'. Together they form a unique fingerprint.

Cite this

Chen, X., Andersen, J., Morley Mao, Z., Bailey, M., & Nazario, J. (2008). Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. 177-186. Paper presented at 2008 International Conference on Dependable Systems and Networks, DSN-2008, Anchorage, AK, United States. https://doi.org/10.1109/DSN.2008.4630086

@conference{7ccbd0f853c54908888f6999d6373c4f,

title = "Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware",

abstract = "Many threats that plague today's networks (e.g., phishing, botnets, denial of service attacks) are enabled by a complex ecosystem of attack programs commonly called malware. To combat these threats, defenders of these networks have turned to the collection, analysis, and reverse engineering of malware as mechanisms to understand these programs, generate signatures, and facilitate cleanup of infected hosts. Recently however, new malware instances have emerged with the capability to check and often thwart these defensive activities - essentially leaving defenders blind to their activities. To combat this emerging threat, we have undertaken a robust analysis of current malware and developed a detailed taxonomy of malware defender fingerprinting methods. We demonstrate the utility of this taxonomy by using it to characterize the prevalence of these avoidance methods, to generate a novel fingerprinting method that can assist malware propagation, and to create an effective new technique to protect production systems.",

author = "Xu Chen and Jon Andersen and {Morley Mao}, Z. and Michael Bailey and Jose Nazario",

year = "2008",

month = oct,

day = "13",

doi = "10.1109/DSN.2008.4630086",

language = "English (US)",

pages = "177--186",

note = "2008 International Conference on Dependable Systems and Networks, DSN-2008 ; Conference date: 24-06-2008 Through 27-06-2008",

}

TY - CONF

T1 - Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware

AU - Chen, Xu

AU - Andersen, Jon

AU - Morley Mao, Z.

AU - Bailey, Michael

AU - Nazario, Jose

PY - 2008/10/13

Y1 - 2008/10/13

N2 - Many threats that plague today's networks (e.g., phishing, botnets, denial of service attacks) are enabled by a complex ecosystem of attack programs commonly called malware. To combat these threats, defenders of these networks have turned to the collection, analysis, and reverse engineering of malware as mechanisms to understand these programs, generate signatures, and facilitate cleanup of infected hosts. Recently however, new malware instances have emerged with the capability to check and often thwart these defensive activities - essentially leaving defenders blind to their activities. To combat this emerging threat, we have undertaken a robust analysis of current malware and developed a detailed taxonomy of malware defender fingerprinting methods. We demonstrate the utility of this taxonomy by using it to characterize the prevalence of these avoidance methods, to generate a novel fingerprinting method that can assist malware propagation, and to create an effective new technique to protect production systems.

AB - Many threats that plague today's networks (e.g., phishing, botnets, denial of service attacks) are enabled by a complex ecosystem of attack programs commonly called malware. To combat these threats, defenders of these networks have turned to the collection, analysis, and reverse engineering of malware as mechanisms to understand these programs, generate signatures, and facilitate cleanup of infected hosts. Recently however, new malware instances have emerged with the capability to check and often thwart these defensive activities - essentially leaving defenders blind to their activities. To combat this emerging threat, we have undertaken a robust analysis of current malware and developed a detailed taxonomy of malware defender fingerprinting methods. We demonstrate the utility of this taxonomy by using it to characterize the prevalence of these avoidance methods, to generate a novel fingerprinting method that can assist malware propagation, and to create an effective new technique to protect production systems.

UR - http://www.scopus.com/inward/record.url?scp=53349116756&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=53349116756&partnerID=8YFLogxK

U2 - 10.1109/DSN.2008.4630086

DO - 10.1109/DSN.2008.4630086

M3 - Paper

AN - SCOPUS:53349116756

SP - 177

EP - 186

T2 - 2008 International Conference on Dependable Systems and Networks, DSN-2008

Y2 - 24 June 2008 through 27 June 2008

ER -