WEKO3
アイテム
Your Sandbox is Blinded: Impact of Decoy Injection to Public Malware Analysis Systems
https://ipsj.ixsq.nii.ac.jp/records/73750
https://ipsj.ixsq.nii.ac.jp/records/73750f85bf0a6-00de-4d78-be3e-0d794465684f
| 名前 / ファイル | ライセンス | アクション |
|---|---|---|
IPSJ-JIP1900013.pdf (2.2 MB)
|
Copyright (c) 2011 by the Information Processing Society of Japan
|
|
| オープンアクセス | ||
| Item type | JInfP(1) | |||||||
|---|---|---|---|---|---|---|---|---|
| 公開日 | 2011-03-09 | |||||||
| タイトル | ||||||||
| タイトル | Your Sandbox is Blinded: Impact of Decoy Injection to Public Malware Analysis Systems | |||||||
| タイトル | ||||||||
| 言語 | en | |||||||
| タイトル | Your Sandbox is Blinded: Impact of Decoy Injection to Public Malware Analysis Systems | |||||||
| 言語 | ||||||||
| 言語 | eng | |||||||
| キーワード | ||||||||
| 主題Scheme | Other | |||||||
| 主題 | Regular Paper | |||||||
| 資源タイプ | ||||||||
| 資源タイプ識別子 | http://purl.org/coar/resource_type/c_6501 | |||||||
| 資源タイプ | journal article | |||||||
| 著者所属 | ||||||||
| Yokohama National University | ||||||||
| 著者所属 | ||||||||
| Yokohama National University | ||||||||
| 著者所属 | ||||||||
| Yokohama National University | ||||||||
| 著者所属 | ||||||||
| Yokohama National University | ||||||||
| 著者所属(英) | ||||||||
| en | ||||||||
| Yokohama National University | ||||||||
| 著者所属(英) | ||||||||
| en | ||||||||
| Yokohama National University | ||||||||
| 著者所属(英) | ||||||||
| en | ||||||||
| Yokohama National University | ||||||||
| 著者所属(英) | ||||||||
| en | ||||||||
| Yokohama National University | ||||||||
| 著者名 |
Katsunari, Yoshioka
Yoshihiko, Hosobuchi
Tatsunori, Orii
Tsutomu, Matsumoto
× Katsunari, Yoshioka Yoshihiko, Hosobuchi Tatsunori, Orii Tsutomu, Matsumoto
|
|||||||
| 著者名(英) |
Katsunari, Yoshioka
Yoshihiko, Hosobuchi
Tatsunori, Orii
Tsutomu, Matsumoto
× Katsunari, Yoshioka Yoshihiko, Hosobuchi Tatsunori, Orii Tsutomu, Matsumoto
|
|||||||
| 論文抄録 | ||||||||
| 内容記述タイプ | Other | |||||||
| 内容記述 | The use of public Malware Sandbox Analysis Systems (public MSASs) which receive online submissions of possibly malicious files or URLs from an arbitrary user, analyze their behavior by executing or visiting them by a testing environment (i.e., a sandbox), and send analysis reports back to the user, has increased in popularity. Consequently, anti-analysis techniques have also evolved from known technologies like anti-virtualization and anti-debugging to the detection of specific sandboxes by checking their unique characteristics such as a product ID of their OS and a usage of certain Dynamic Link Library (DLL) used in a particular sandbox. In this paper, we point out yet another important characteristic of the sandboxes, namely, their IP addresses. In public MSASs, the sandbox is often connected to the Internet in order to properly observe malware behavior as modern malware communicate with remote hosts in the Internet for various reasons, such as receiving command and control (C&C) messages and files for updates. We explain and demonstrate that the IP address of an Internet-connected sandbox can be easily disclosed by an attacker who submits a decoy sample dedicated to this purpose. The disclosed address can then be shared among attackers, blacklisted, and used against the analysis system, for example, to conceal potential malicious behavior of malware. We call the method Network-based Sandbox Detection by Decoy Injection (NSDI). We conducted case studies with 15 representative existing public MSASs, which were selected from 33 online malware analysis systems with careful screening processes, and confirmed that a hidden behavior of the malware samples was successfully concealed from all of the 15 analysis systems by NSDI. In addition, we found out the risk that a background analysis activity behind these systems can also be revealed by NSDI if the samples are shared among the systems without careful considerations. Moreover, about three months after our first case study it was reported that a real-world NSDI was conducted against several public MSASs. | |||||||
| 論文抄録(英) | ||||||||
| 内容記述タイプ | Other | |||||||
| 内容記述 | The use of public Malware Sandbox Analysis Systems (public MSASs) which receive online submissions of possibly malicious files or URLs from an arbitrary user, analyze their behavior by executing or visiting them by a testing environment (i.e., a sandbox), and send analysis reports back to the user, has increased in popularity. Consequently, anti-analysis techniques have also evolved from known technologies like anti-virtualization and anti-debugging to the detection of specific sandboxes by checking their unique characteristics such as a product ID of their OS and a usage of certain Dynamic Link Library (DLL) used in a particular sandbox. In this paper, we point out yet another important characteristic of the sandboxes, namely, their IP addresses. In public MSASs, the sandbox is often connected to the Internet in order to properly observe malware behavior as modern malware communicate with remote hosts in the Internet for various reasons, such as receiving command and control (C&C) messages and files for updates. We explain and demonstrate that the IP address of an Internet-connected sandbox can be easily disclosed by an attacker who submits a decoy sample dedicated to this purpose. The disclosed address can then be shared among attackers, blacklisted, and used against the analysis system, for example, to conceal potential malicious behavior of malware. We call the method Network-based Sandbox Detection by Decoy Injection (NSDI). We conducted case studies with 15 representative existing public MSASs, which were selected from 33 online malware analysis systems with careful screening processes, and confirmed that a hidden behavior of the malware samples was successfully concealed from all of the 15 analysis systems by NSDI. In addition, we found out the risk that a background analysis activity behind these systems can also be revealed by NSDI if the samples are shared among the systems without careful considerations. Moreover, about three months after our first case study it was reported that a real-world NSDI was conducted against several public MSASs. | |||||||
| 書誌レコードID | ||||||||
| 収録物識別子タイプ | NCID | |||||||
| 収録物識別子 | AA00700121 | |||||||
| 書誌情報 |
Journal of information processing 巻 19, p. 153-168, 発行日 2011-03-09 |
|||||||
| ISSN | ||||||||
| 収録物識別子タイプ | ISSN | |||||||
| 収録物識別子 | 1882-6652 | |||||||
| 出版者 | ||||||||
| 言語 | ja | |||||||
| 出版者 | 情報処理学会 | |||||||
