Virtual Environment Impression’s Anonymization Framework for Proactive Malware Deception

Abstract

Virtual environments have become indispensable for analysing and researching malware due to their isolated and controlled nature. However, advanced malware now employs sophisticated techniques to detect and evade analysis within these virtual environments, impeding effective research and cyber defence strategies. To address this challenge, this thesis presents a novel deception framework designed to protect virtual environments from malware detection and enable comprehensive malware behaviour analysis. The proposed deception framework aims to anonymize the virtual environment's signatures that malware uses to identify virtualization. By altering the attributes of the virtual environment and obfuscating identifying features, the framework deceives malware into perceiving the virtual environment as a genuine system. As a result, malware executes its malicious code, allowing researchers to capture and analyse its behaviour without triggering evasion mechanisms. The framework consists of two main phases. In the first phase, signature anonymization techniques modify system artefacts, emulate physical hardware features, and obscure virtualization-related processes. By altering explicit indicators of virtualization, the framework aims to deceive malware and prevent it from recognizing the virtual environment. In the second phase, the behaviour of the malware is observed and analysed within the protected virtual environment. Freed from the constraints of evasion mechanisms, researchers can monitor the malware's activities, capture network communications, and study its malicious actions in-depth. To assess the effectiveness of the deception framework, extensive experiments are conducted with a diverse range of malware samples, including those renowned for their advanced anti-virtual machine techniques. The results demonstrate that the proposed framework successfully evades detection by tested malware and enables researchers to conduct thorough analyses of their behavior.The contributions of this thesis provide valuable insights into the evolving landscape of malware evasion techniques and offer a practical solution for enhancing the effectiveness of malware analysis in virtual environments. The framework's success in deceiving advanced malware empowers more secure and accurate malware research, facilitating proactive defence strategies and deeper understanding of emerging threats. The proposed deception framework represents a significant step towards fortifying virtual environments and fostering a safer cybersecurity landscape. By mitigating malware evasion, it enables researchers and security practitioners to stay one step ahead of malicious actors, ultimately bolstering the resilience of digital infrastructure.