malWASH: Washing Malware to Evade Dynamic Analysis

Authors: 

Kyriakos K. Ispoglou and Mathias Payer, Purdue University

Abstract: 

Hiding malware processes from fingerprinting is challenging. Current techniques like metamorphic algorithms and diversity generate different instances of a program, protecting it against static detection. Unfortunately, all existing techniques are prone to detection through behavioral analysis – a runtime analysis that records behavior (e.g., through system call invocations), and can detect executing diversified programs like malware.

We present malWASH, a dynamic diversification engine that executes an arbitrary program without being detected by dynamic analysis tools. Target programs are chopped into small components that are then executed in the context of other processes, hiding the behavior of the original program in a stream of benign behavior of a large number of processes. A scheduler connects these components and transfers state between the different processes. The execution of the benign processes is not impacted. Furthermore, malWASH ensures that the executing program remains persistent, complicating the removal process.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {198415,
author = {Kyriakos K. Ispoglou and Mathias Payer},
title = {{malWASH}: Washing Malware to Evade Dynamic Analysis},
booktitle = {10th USENIX Workshop on Offensive Technologies (WOOT 16)},
year = {2016},
address = {Austin, TX},
url = {https://www.usenix.org/conference/woot16/workshop-program/presentation/ispoglou},
publisher = {USENIX Association},
month = aug,
}
Download
Ispoglou PDF
View the slides