Your Sandbox is Blinded: Impact of Decoy Injection to Public Malware Analysis Systems
スポンサーリンク
概要
- 論文の詳細を見る
The use of public Malware Sandbox Analysis Systems (public MSASs) which receive online submissions of possibly malicious files or URLs from an arbitrary user, analyze their behavior by executing or visiting them by a testing environment (i.e., a sandbox), and send analysis reports back to the user, has increased in popularity. Consequently, anti-analysis techniques have also evolved from known technologies like anti-virtualization and anti-debugging to the detection of specific sandboxes by checking their unique characteristics such as a product ID of their OS and a usage of certain Dynamic Link Library (DLL) used in a particular sandbox. In this paper, we point out yet another important characteristic of the sandboxes, namely, their IP addresses. In public MSASs, the sandbox is often connected to the Internetin order to properly observe malware behavior as modern malware communicate with remote hosts in the Internet for various reasons, such as receiving command and control (C&C) messages and files for updates. We explain and demonstrate that the IP address of an Internet-connected sandbox can be easily disclosed by an attacker who submits a decoy sample dedicated to this purpose. The disclosed address can then be shared among attackers, blacklisted, and used against the analysis system, for example, to conceal potential malicious behavior of malware. We call the method Network-based Sandbox Detection by Decoy Injection (NSDI). We conducted case studies with 15 representative existing public MSASs, which were selected from 33 online malware analysis systems with careful screening processes, and confirmed that a hidden behavior of the malware samples was successfully concealed from all of the 15 analysis systems by NSDI. In addition, we found out the risk that a background analysis activity behind these systems can also be revealed by NSDI if the samples are shared among the systems without careful considerations. Moreover, about three months after our first case study it was reported that a real-world NSDI was conducted against several public MSASs.
著者
-
YOSHIOKA Katsunari
Yokohama National University
-
Matsumoto Tsutomu
Yokohama National Univ. Yokohama‐shi Jpn
-
Hosobuchi Yoshihiko
Yokohama National University
-
Orii Tatsunori
Yokohama National University
関連論文
- E2-A New 128-Bit Block Cipher(Special Section on Cryptography and Information Security)
- Digitally Signed Document Sanitizing Scheme with Disclosure Condition Control(Application)(Cryptography and Information Security)
- On the security of Feistel Ciphers with SPN Round Function against Differential, Linear, and Truncated Differential Cryptanalysis(Special Section on Cryptography and Information Security)
- Multi-Pass Malware Sandbox Analysis with Controlled Internet Connection
- 招待講演 nicter: An Incident Analysis System for the Global Internet using Correlation between Network Monitoring and Malware Analysis
- 招待講演 nicter: An Incident Analysis System for the Global Internet using Correlation between Network Monitoring and Malware Analysis
- Fine-Grain Feature Extraction from Malware's Scan Behavior Based on Spectrum Analysis
- Malware Sandbox Analysis for Secure Observation of Vulnerability Exploitation
- Automated Malware Analysis System and Its Sandbox for Revealing Malware's Internal and External Activities
- Practical Correlation Analysis between Scan and Malware Profiles against Zero-Day Attacks Based on Darknet Monitoring
- FOREWORD (Special Section on Cryptography and Information Security)
- Your Sandbox is Blinded: Impact of Decoy Injection to Public Malware Analysis Systems
- Information-Flow-Based Access Control for Web Browsers
- Effectiveness of Outline Measures of Strength against Differential and Linear Cryptanalysis (Special Section on Cryptography and Information Security)
- Malware Sandbox Analysis with Efficient Observation of Herder's Behavior
- Malware Sandbox Analysis with Efficient Observation of Herder's Behavior
- Catching the Behavioral Differences between Multiple Executions for Malware Detection
- FOREWORD
- Catching the Behavioral Differences between Multiple Executions for Malware Detection