Fighting Evasive Malware: How to Pass the Reverse Turing Test By Utilizing a VMI-Based Human Interaction Simulator

Sandboxes are an indispensable tool in dynamic malware analysis today. However, modern malware often employs sandbox-detection methods to exhibit non-malicious behavior within sandboxes and therefore evade automatic analysis. One category of sandbox-detection techniques are reverse Turing tests (RTTs) to determine the presence of a human operator. In order to pass these RTTs, we propose a novel approach which builds upon virtual machine introspection (VMI) to automatically reconstruct the graphical user interface, determine clickable buttons and inject human interface device events via direct control of virtualized human interface devices in a stealthy way. We extend the VMI-based open-source sandbox DRAKVUF with our approach and show that it successfully passes RTTs commonly employed by malware in the wild to detect sandboxes

Gruber, Jan; Freiling, Felix C. (2022): Fighting Evasive Malware: How to Pass the Reverse Turing Test By Utilizing a VMI-Based Human Interaction Simulator. GI SICHERHEIT 2022. DOI: 10.18420/sicherheit2022_03. Gesellschaft für Informatik, Bonn. PISSN: 1617-5468. ISBN: 978-3-88579-717-3. pp. 49-64. Session 1. Karlsruhe. 5.-8. April 2022

Schlagwörter

Malware Analysis , Sandboxing , Virtual Machine Introspection , Reverse Turing Test

DOI

10.18420/sicherheit2022_03

Sammlungen

P323 - Sicherheit 2022 - Sicherheit, Schutz und Zuverlässigkeit

Komplettanzeige

Fighting Evasive Malware: How to Pass the Reverse Turing Test By Utilizing a VMI-Based Human Interaction Simulator

Volltext URI

Dokumententyp

Dateien

Zusatzinformation

Datum

Autor:innen

Zeitschriftentitel

ISSN der Zeitschrift

Bandtitel

Quelle

Verlag

Zusammenfassung

Beschreibung

Schlagwörter

Zitierform

DOI

Tags

Sammlungen