TY - GEN
T1 - Droid-AntiRM
T2 - 33rd Annual Computer Security Applications Conference, ACSAC 2017
AU - Wang, Xiaolei
AU - Zhu, Sencun
AU - Zhou, Dehua
AU - Yang, Yuexiang
N1 - Publisher Copyright:
© 2017 Copyright held by the owner/author(s). Publication rights licensed to ACM.
PY - 2017/12/4
Y1 - 2017/12/4
N2 - While many test input generation techniques have been proposed to improve the code coverage of dynamic analysis, they are still inefficient in triggering hidden malicious behaviors protected by anti-Analysis techniques. In this work, we design and implement Droid-AntiRM, a new approach seeking to tame anti-Analysis automatically and improve automated dynamic analysis. Our approach leverages three key observations: 1) Logic-bomb based anti-Analysis techniques control the execution of certain malicious behaviors; 2) Anti-Analysis techniques are normally implemented through condition statements; 3) Anti-Analysis techniques normally have no dependence on program inputs. Based on these observations, Droid-AntiRM uses various techniques to detect anti-Analysis in malware samples, and rewrite the condition statements in antianalysis cases through bytecode instrumentation, thus forcing the hidden behavior to be executed at runtime. Through a study of 3187 malware samples, we find that 32.50% of them employ various anti-Analysis techniques. Our experiments demonstrate that Droid-AntiRM can identify anti-Analysis instances from 30 malware samples with a true positive rate of 89.15% and zero false negative. By taming the identified anti-Analysis, Droid-AntiRM can greatly improve the automated dynamic analysis, successfully triggering 44 additional hidden malicious behaviors from the 30 samples. Further performance evaluation shows that Droid-AntiRM has good efficiency to perform large-scale analysis.
AB - While many test input generation techniques have been proposed to improve the code coverage of dynamic analysis, they are still inefficient in triggering hidden malicious behaviors protected by anti-Analysis techniques. In this work, we design and implement Droid-AntiRM, a new approach seeking to tame anti-Analysis automatically and improve automated dynamic analysis. Our approach leverages three key observations: 1) Logic-bomb based anti-Analysis techniques control the execution of certain malicious behaviors; 2) Anti-Analysis techniques are normally implemented through condition statements; 3) Anti-Analysis techniques normally have no dependence on program inputs. Based on these observations, Droid-AntiRM uses various techniques to detect anti-Analysis in malware samples, and rewrite the condition statements in antianalysis cases through bytecode instrumentation, thus forcing the hidden behavior to be executed at runtime. Through a study of 3187 malware samples, we find that 32.50% of them employ various anti-Analysis techniques. Our experiments demonstrate that Droid-AntiRM can identify anti-Analysis instances from 30 malware samples with a true positive rate of 89.15% and zero false negative. By taming the identified anti-Analysis, Droid-AntiRM can greatly improve the automated dynamic analysis, successfully triggering 44 additional hidden malicious behaviors from the 30 samples. Further performance evaluation shows that Droid-AntiRM has good efficiency to perform large-scale analysis.
UR - http://www.scopus.com/inward/record.url?scp=85038967557&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85038967557&partnerID=8YFLogxK
U2 - 10.1145/3134600.3134601
DO - 10.1145/3134600.3134601
M3 - Conference contribution
AN - SCOPUS:85038967557
T3 - ACM International Conference Proceeding Series
SP - 350
EP - 361
BT - Proceedings - 33rd Annual Computer Security Applications Conference, ACSAC 2017
PB - Association for Computing Machinery
Y2 - 4 December 2017 through 8 December 2017
ER -