Abstract:
With the widespread adoption of Internet in all spheres of human life, the
menace of malware has also become more voluminous and sophisticated. This threat
is characterized by fast evolution and huge volumes. The detection and prevention
against these malware threats relies on automated dynamic analysis techniques. The
malware writers have been increasingly resorting to analysis evasion techniques to
prevent automated dynamic analysis systems from identifying the true behavior of the
malware. These malware first attempt to detect the presence of analysis environment
and then refrain from exhibiting any malicious behavior as soon as they sense that
they are being executed in analysis environment. This poses a challenge for the
researchers to study the anti-analysis techniques being adopted by the malware ad
then improve and design new analysis approaches which detect and/or prevent such
evasion by the malware. As most of the analysis environments are based on virtual
machines or emulators, the malware attempts to detect the presence of a virtual /
emulated environment.
This thesis presents Analysis Evasion Malware Sandbox (AEMS), which is able
to counter the known evasion techniques of malware. Additionally, a novel technique
of detection of malware evasive behavior is presented which is based on measuring
the deviation from normal behavior of a program or malware. AEMS was evaluated
using a reference bare metal system and two well known malware analysis systems.
The result is an objective estimation of the evasion based behavior of malware.
Through study of detected evasion techniques various counter measures have been
proposed and implemented in AEMS.
