CLOUDOSCOPE: Detecting Anti-Forensic Malware using Public Cloud Environments
Pages 100 - 107
Abstract
Many modern malware employs runtime anti-forensic techniques in order to evade detection. Anti-forensic tactics can be categorized as anti-virtualization (anti-VM), anti-debugging, anti-sandbox, and anti forensic-tools. The detection of such malware is challenging since they do not reveal their malicious behavior and are therefore considered benign.
We present CLOUDOSCOPE, a novel architecture for detecting anti-forensic malware using the power of public cloud environments. The method we use involves running samples on bare metal machines, then running and monitoring them in multiple forensic environments deployed in the cloud. That includes virtual machines, debugging, sandboxes, and forensic environments. We identify anti-forensic behavior by comparing results in forensic and non-forensic environments. Anti-forensic malware would expose a difference between bare-metal, non-forensic, and virtualized forensic executions. Furthermore, our method enables the identification of the specific anti-forensic technique(s) used by the malware. We provide background on anti-forensic malware, present the architecture, design and implementation of CLOUDOSCOPE, and the evaluation of our system. Public cloud environments can be used to identify and detect stealthy, anti-forensic malware, as shown in our evaluation.
References
[1]
[n. d.]. Egressing from Google Bare Metal Solution | by Ben King | Google Cloud - Community | Medium. https://medium.com/google-cloud/egressing-from-google-bare-metal-solution-aa459389436c. (Accessed on 02/03/2023).
[2]
[n. d.]. FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines - Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/. (Accessed on 02/03/2023).
[3]
[n. d.]. GitHub - a0rtega/pafish: Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do. https://github.com/a0rtega/pafish. (Accessed on 02/03/2023).
[4]
[n. d.]. Hex Rays - State-of-the-art binary code analysis solutions. https://hex-rays.com/ida-pro/. (Accessed on 02/03/2023).
[5]
[n. d.]. Instant System Restore Software for Multiple Computers | Deep Freeze Enterprise. https://www.faronics.com/en-uk/products/deep-freeze/enterprise. (Accessed on 02/03/2023).
[6]
[n. d.]. Introducing two new Amazon EC2 bare metal instances. https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-ec2-bare-metal-instances/. (Accessed on 02/03/2023).
[7]
[n. d.]. Introduction to Hyper-V on Windows 10 Microsoft Learn. https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/. (Accessed on 02/03/2023).
[8]
[n. d.]. IsDebuggerPresent function (debugapi.h) - Win32 apps | Microsoft Learn. https://learn.microsoft.com/en-us/windows/win32/api/debugapi/nf-debugapi-isdebuggerpresent. (Accessed on 02/03/2023).
[9]
[n. d.]. Locky ransomware adds anti sandbox feature (updated) | Malwarebytes Labs. https://www.malwarebytes.com/blog/news/2017/08/locky-ransomware-adds-anti-sandbox-feature. (Accessed on 02/03/2023).
[10]
[n. d.]. Malware Statistics & Trends Report | AV-TEST. https://www.av-test.org/en/statistics/malware/. (Accessed on 02/02/2023).
[11]
[n. d.]. mwb_threatreview_2022_ss_v1.pdf. https://www.malwarebytes.com/resources/malwarebytes-threat-review-2022/mwb_threatreview_2022_ss_v1.pdf. (Accessed on 02/02/2023).
[12]
[n. d.]. Oracle VM VirtualBox. https://www.virtualbox.org/. (Accessed on 02/03/2023).
[13]
[n. d.]. Privacy error. https://cuckoosandbox.org/. (Accessed on 02/03/2023).
[14]
[n. d.]. Process Explorer - Sysinternals | Microsoft Learn. https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer. (Accessed on 02/03/2023).
[15]
[n. d.]. Process Monitor - Sysinternals | Microsoft Learn. https://learn.microsoft.com/en-us/sysinternals/downloads/procmon. (Accessed on 02/03/2023).
[16]
[n. d.]. regshot download | SourceForge.net. https://sourceforge.net/projects/regshot/. (Accessed on 02/03/2023).
[17]
[n. d.]. Sandbox detection and evasion techniques. How malware has evolved over the last 10 years. https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/. (Accessed on 02/03/2023).
[18]
[n. d.]. Sleep function (synchapi.h) - Win32 apps | Microsoft Learn. https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-sleep. (Accessed on 03/09/2023).
[19]
[n. d.]. SUNBURST: Attack Flow, C2 Protocol, and Prevention. https://www.cynet.com/attack-techniques-hands-on/sunburst-backdoor-c2-communication-protocol/. (Accessed on 02/03/2023).
[20]
[n. d.]. Sysinternals - Sysinternals | Microsoft Learn. https://learn.microsoft.com/en-us/sysinternals/. (Accessed on 02/03/2023).
[21]
[n. d.]. Virtualization/Sandbox Evasion, Technique T1497 - Enterprise | MITRE. https://attack.mitre.org/techniques/T1497/. (Accessed on 02/03/2023).
[22]
[n. d.]. VMware - Delivering a Digital Foundation For Businesses. https://www.vmware.com/. (Accessed on 02/03/2023).
[23]
[n. d.]. What is BareMetal Infrastructure on Azure? - Azure Baremetal Infrastructure | Microsoft Learn. https://learn.microsoft.com/en-us/azure/baremetal-infrastructure/concepts-baremetal-infrastructure-overview. (Accessed on 02/03/2023).
[24]
[n. d.]. WinDbg - Wikipedia. https://en.wikipedia.org/wiki/WinDbg. (Accessed on 02/03/2023).
[25]
[n. d.]. x64dbg. https://x64dbg.com/. (Accessed on 02/03/2023).
[26]
Amir Afianian, Salman Niksefat, Babak Sadeghiyan, and David Baptiste. 2019. Malware dynamic analysis evasion techniques: A survey. ACM Computing Surveys (CSUR) 52, 6 (2019), 1–28.
[27]
Rodrigo Rubira Branco, Gabriel Negreira Barbosa, and Pedro Drimel Neto. 2012. Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies. Black Hat 1, 2012 (2012), 1–27.
[28]
Matthew Carpenter, Tom Liston, and Ed Skoudis. 2007. Hiding virtualization from attackers and malware. IEEE Security & Privacy 5, 3 (2007), 62–65.
[29]
Silvio Cesare, Yang Xiang, and Wanlei Zhou. 2012. Malwise—an effective and efficient classification system for packed and polymorphic malware. IEEE Trans. Comput. 62, 6 (2012), 1193–1206.
[30]
S Sibi Chakkaravarthy, D Sangeetha, and V Vaidehi. 2019. A survey on malware analysis and mitigation techniques. Computer Science Review 32 (2019), 1–23.
[31]
Ping Chen, Christophe Huygens, Lieven Desmet, and Wouter Joosen. 2016. Advanced or not? A comparative study of the use of anti-debugging and anti-VM techniques in generic and targeted malware. In ICT Systems Security and Privacy Protection: 31st IFIP TC 11 International Conference, SEC 2016, Ghent, Belgium, May 30-June 1, 2016, Proceedings 31. Springer, 323–336.
[32]
Nicola Galloro, Mario Polino, Michele Carminati, Andrea Continella, and Stefano Zanero. 2022. A Systematical and longitudinal study of evasive behaviors in windows malware. Computers & Security 113 (2022), 102550.
[33]
Matthew Ryan Gilboy. 2016. Fighting evasive malware with DVasion. Ph. D. Dissertation. University of Maryland, College Park.
[34]
Mordehai Guri, Gabi Kedma, Tom Sela, Buky Carmeli, Amit Rosner, and Yuval Elovici. 2013. Noninvasive detection of anti-forensic malware. In 2013 8th International Conference on Malicious and Unwanted Software:" The Americas"(MALWARE). IEEE, 1–10.
[35]
Christopher Jämthagen, Patrik Lantz, and Martin Hell. 2013. A new instruction overlapping technique for anti-disassembly and obfuscation of x86 binaries. In 2013 Workshop on Anti-malware Testing Research. IEEE, 1–9.
[36]
Yuhei Kawakoya, Makoto Iwamura, and Mitsutaka Itoh. 2010. Memory behavior-based automatic malware unpacking in stealth debugging environment. In 2010 5th International Conference on Malicious and Unwanted Software. IEEE, 39–46.
[37]
Young Bi Lee, Jae Hyuk Suk, and Dong Hoon Lee. 2021. Bypassing anti-analysis of commercial protector methods using DBI tools. IEEE Access 9 (2021), 7655–7673.
[38]
Keane Lucas, Mahmood Sharif, Lujo Bauer, Michael K Reiter, and Saurabh Shintre. 2021. Malware makeover: Breaking ml-based static analysis by modifying executable bytes. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. 744–758.
[39]
Weiqin Ma, Pu Duan, Sanmin Liu, Guofei Gu, and Jyh-Charn Liu. 2012. Shadow attacks: automatically evading system-call-behavior based malware detection. Journal in Computer Virology 8 (2012), 1–13.
[40]
Lorenzo Maffia, Dario Nisi, Platon Kotzias, Giovanni Lagorio, Simone Aonzo, and Davide Balzarotti. 2021. Longitudinal Study of the Prevalence of Malware Evasive Techniques. arXiv preprint arXiv:2112.11289 (2021).
[41]
Wojciech Mazurczyk and Luca Caviglione. 2015. Information hiding as a challenge for malware detection. arXiv preprint arXiv:1504.04867 (2015).
[42]
Pham Ri Nep and Nguyen Tan Cam. 2022. A Research on Countering Virtual Machine Evasion Techniques of Malware in Dynamic Analysis. In Intelligent Computing & Optimization: Proceedings of the 5th International Conference on Intelligent Computing and Optimization 2022 (ICO2022). Springer, 585–596.
[43]
Yao Pan, Ian Chen, Francisco Brasileiro, Glenn Jayaputera, and Richard Sinnott. 2019. A performance comparison of cloud-based container orchestration tools. In 2019 IEEE International Conference on Big Knowledge (ICBK). IEEE, 191–198.
[44]
Gábor Pék, Boldizsár Bencsáth, and Levente Buttyán. 2011. nEther: In-guest Detection of Out-of-the-guest Malware Analyzers. In Proceedings of the Fourth European Workshop on System Security. 1–6.
[45]
J Prassanna, AR Pawar, and V Neelanarayanan. 2017. A review of existing cloud automation tools. Asian J Pharm Clin Res 10 (2017), 471–473.
[46]
Babak Bashari Rad, Maslin Masrom, and Suhaimi Ibrahim. 2012. Camouflage in malware: from encryption to metamorphism. International Journal of Computer Science and Network Security 12, 8 (2012), 74–83.
[47]
Aaqib Rashid and Amit Chaturvedi. 2019. Cloud computing characteristics and services: a brief review. International Journal of Computer Sciences and Engineering 7, 2 (2019), 421–426.
[48]
Hao Shi and Jelena Mirkovic. 2017. Hiding debuggers from malware with apate. In Proceedings of the Symposium on Applied Computing. 1703–1710.
[49]
Hao Shi, Jelena Mirkovic, and Abdulla Alwabel. 2017. Handling anti-virtual machine techniques in malicious software. ACM Transactions on Privacy and Security (TOPS) 21, 1 (2017), 1–31.
[50]
Michael Sikorski and Andrew Honig. 2012. Practical malware analysis: the hands-on guide to dissecting malicious software. no starch press.
[51]
Jagsir Singh and Jaswinder Singh. 2018. Challenge of malware analysis: malware obfuscation techniques. International Journal of Information Security Science 7, 3 (2018), 100–110.
[52]
Adam J Smith, Robert F Mills, Adam R Bryant, Gilbert L Peterson, and Michael R Grimaila. 2014. Redir: Automated static detection of obfuscated anti-debugging techniques. In 2014 International Conference on Collaboration Technologies and Systems (CTS). IEEE, 173–180.
[53]
Ming-Kung Sun, Mao-Jie Lin, Michael Chang, Chi-Sung Laih, and Hui-Tang Lin. 2011. Malware virtualization-resistant behavior detection. In 2011 IEEE 17th international conference on parallel and distributed systems. IEEE, 912–917.
[54]
Michael Wurster, Uwe Breitenbücher, Michael Falkenthal, Christoph Krieger, Frank Leymann, Karoline Saatkamp, and Jacopo Soldani. 2020. The essential deployment metamodel: a systematic review of deployment automation technologies. SICS Software-Intensive Cyber-Physical Systems 35 (2020), 63–75.
[55]
Ilsun You and Kangbin Yim. 2010. Malware obfuscation techniques: A brief survey. In 2010 International conference on broadband, wireless computing, communication and applications. IEEE, 297–300.
Index Terms
- CLOUDOSCOPE: Detecting Anti-Forensic Malware using Public Cloud Environments
Recommendations
Dynamic Malware Analysis in the Modern Era—A State of the Art Survey
Although malicious software (malware) has been around since the early days of computers, the sophistication and innovation of malware has increased over the years. In particular, the latest crop of ransomware has drawn attention to the dangers of ...
Effectiveness of Android Obfuscation on Evading Anti-malware
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and PrivacyObfuscation techniques have been conventionally used for legitimate applications, including preventing application reverse engineering, tampering and protecting intellectual property. A malware author could also leverage these benign techniques to hide ...
Orchestration of APT malware evasive manoeuvers employed for eluding anti-virus and sandbox defense
AbstractThe modern day cyber attacks are highly targeted and incorporate advanced tactics, techniques and procedures for greater stealth, impact and success. These attacks are also known as Advanced Persistent Threats(APT) because of their ...
Comments
Information & Contributors
Information
Published In
June 2023
205 pages
Copyright © 2023 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 14 June 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
EICC 2023
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 958Total Downloads
- Downloads (Last 12 months)582
- Downloads (Last 6 weeks)52
Reflects downloads up to 25 Feb 2025
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in