TWC: Small: Combating Environment-aware Malware
Michalis Polychronakis (Principal Investigator)
Nick Nikiforakis (Co-Principal Investigator)
Tools for dynamic detection of malicious software (“malware”), such as antivirus software, often create a protected “analysis environment” (or “sandbox”) in which to test suspicious software without risk to the computer system. Malware authors have responded by developing environment-awareness techniques, to enable their malware to recognize and behave differently in a sandbox environment, thereby evading detection. Authors of defense software are endeavoring to ensure that analysis environments exhibit realistic characteristics. This project focuses on examining “wear-and-tear” or “aging” artifacts, whose absence could enable malware to distinguish a pristine, new analysis environment from a real environment that has been seen normal use.
This project is assessing the potential for a new class of environment-aware malware that exploits usage-related artifacts that inevitably occur on real systems as a result of normal use, and which are absent in existing malware analysis environments. The project is first investigating techniques for recognizing artifacts related to past user activity and studying how malware might query or probe to acquire such information. Second, the researchers are evaluating the effectiveness of these techniques against current dynamic malware analysis systems and how such defense systems might detect that queries or probes of environmental information indicate the presence of malware. Finally, the project is studying whether artificially created “wear and tear” artifacts might be injected into analysis environments to counter next-generation, environment-aware malware.