Publisher | Association for Computing Machinery |
Authors | Floris Gorter, Cristiano Giuffrida, Erik Van Der Kouwe |
Year | 2023 |
Cost | Free |
Themes | Malware, Malware Analysis, Malware Detection, Enviral |
Overview
Analyzing malicious behavior is crucial for effective protection against malware, but modern malware often employs evasive techniques to conceal its true nature during analysis. Manually disabling these evasive checks is labor-intensive and not scalable, while existing automated systems for analyzing evasive malware are impractical or incomplete.
This paper presents Enviral, an automatic framework for evasive malware analysis that combines the strengths of various approaches. By employing fuzzing techniques, Enviral dynamically adapts the execution environment to defeat evasive checks in the target application, continuously evolving its understanding of the malware’s behavior.
Enviral achieves this by mutating the results of environment queries, enabling the exploration of multiple execution paths and uncovering hidden activity in the malware. Experimental results demonstrate that Enviral successfully detects and overcomes evasive behavior, revealing previously concealed actions in the malware.
Comparative evaluation against a similar framework reveals that Enviral exposes an average of 39% more interesting hidden system call activity and discovers previously unseen behavior in 67% more malware samples, highlighting its effectiveness in detecting and understanding evasive malware.