Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information in the reports produced by these services have also helped attackers test the efficacy of numerous techniques to make malware hard to detect.
The most common technique used by malware for evading the analysis system is to monitor the execution environment, detect the presence of any debugging artifacts, and hide its malicious behavior if needed. This is usually achieved by looking for signals suggesting that the execution environment does not belong to a native machine, such as specific memory patterns or behavioral traits of certain CPU instructions.
In this paper, we show how an attacker can evade detection on such analysis services by incorporating a Proof-of-Work (PoW) algorithm into a malware sample. Specifically, we leverage the asymptotic behavior of the computational cost of PoW algorithms when they run on some classes of hardware platforms to effectively detect a non bare-metal environment of the malware sandbox analyzer. To prove the validity of this intuition, we design and implement Scramblesuit, a framework to automatically (i) implement sandbox detection strategies, and (ii) embed a test evasion program into an arbitrary malware sample. We perform a comprehensive evaluation ofScramblesuitacross a wide range of: 1) COTS architectures (ARM, Apple M1, i9, i7 and Xeon), 2) malware families, and 3) online sandboxes (JoeSandbox, Sysinternals, C2AE, Zenbox, Dr.Web VX Cube, Tencent HABO, YOMI Hunter). Our empirical evaluation shows that a PoW-based evasion technique is hard to fingerprint, and reduces existing malware detection rate by a factor of 10. The only plausible counter-measure toScramblesuitis to rely on bare-metal online malware scanners, which is unrealistic given they currently handle millions of daily submissions.
M.Bakker and R.Van Der Jagt, Gpu-based password cracking, Technical Report, 2010.
12.
D.Balzarotti, M.Cova, C.Karlberger and G.Vigna, Efficient detection of split personalities in malware, in: Proc. 17th Annual Network and Distributed System Security Symposium (NDSS), 2010, 2010.
13.
U.Bayer, P.Milani Comparetti, C.Hlauschek, C.Krügel and E.Kirda, Scalable, behavior-based malware clustering, in: NDSS, The Internet Society, 2009.
14.
L.Bilge, E.Kirda, C.Kruegel and M.Balduzzi, EXPOSURE: Finding malicious domains using passive DNS analysis, in: Proceedings of the Network and Distributed System Security Symposium, NDSS 2011, San Diego, California, USA, 6th February – 9th February 2011, The Internet Society, 2011.
15.
A.Biryukov, D.Dinu and D.Khovratovich, Argon2: New generation of memory-hard functions for password hashing and other applications, in: IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbrücken, Germany, March 21–24, 2016, 2016.
J.Blackthorne, A.Bulazel, A.Fasano, P.Biernat and B.Y.Avleak, Fingerprinting antivirus emulators through black-box testing, in: 10th USENIX Workshop on Offensive Technologies (WOOT 16), USENIX Association, Austin, TX, 2016.
18.
G.Bonfante, J.Fernandez, J.-Y.Marion, B.Rouxel, F.Sabatier and A.T.Codisasm, Medium scale concatic disassembly of self-modifying binaries with overlapping instructions, in: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS’15, 2015.
19.
M.Brengel, M.Backes and C.Rossow, Detecting hardware-assisted virtualization, in: Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment – Volume 9721, DIMVA 2016, Springer-Verlag, Berlin, Heidelberg, 2016, pp. 207–227.
J.Caballero, C.Grier, C.Kreibich and V.Paxson, Measuring pay-per-install: The commoditization of malware distribution, in: Proceedings of the 20th USENIX Security Symposium, 2011.
22.
D.Canali, A.Lanzi, D.Balzarotti, C.Kruegel, M.Christodorescu and E.Kirda, A quantitative study of accuracy in system call-based malware detection, in: International Symposium on Software Testing and Analysis, ISSTA 2012, Minneapolis, MN, USA, July 15–20, 2012, M.P.E.Heimdahl and Z.Su, eds, ACM, 2012, pp. 122–132.
23.
X.Chen, J.Andersen, Z.Morley Mao, M.Bailey and J.Nazario, Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware, in: 2008 IEEE International Conference on Dependable Systems and Networks with FTCS and DCC (DSN), IEEE, 2008, pp. 177–186. doi:10.1109/DSN.2008.4630086.
24.
F.Z.Chowdhury, L.B.M.Kiah, M.A.M.Ahsan and M.Y.I.B.Idris, Economic denial of sustainability (edos) mitigation approaches in cloud: Analysis and open challenges, in: 2017 International Conference on Electrical Engineering and Computer Science (ICECOS), 2017, pp. 206–211. doi:10.1109/ICECOS.2017.8167135.
25.
Chronicle Security. File statistics during last 7 days. https://www.virustotal.com/en/statistics/, 2020.
26.
L.L.V.M.Clang, a c language family frontend for llvm, 2020, https://clang.llvm.org/.
27.
J.Coker, Evasive malware threats on the rise despite decline in overall attacks, 2020, https://www.infosecurity-magazine.com/news/evasive-malware-rise-decline/.
28.
Cybersecurity Ventures. Global cybercrime damages predicted to reach $6 trillion annually by 2021. https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/, 2018.
29.
D.C.D’Elia, E.Coppa, F.Palmaro and L.Cavallaro, On the dissection of evasive malware, Vol. 15, 2020, pp. 2750–2765.
A.Dinaburg, P.Royal, M.Sharif and W.L.Ether, Malware analysis via hardware virtualization extensions, in: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS’08, Association for Computing Machinery, New York, NY, USA, 2008, pp. 51–62.
32.
A.Dinaburg, P.Royal, M.Sharif and W.Lee, Ether: Malware analysis via hardware virtualization extensions, in: Proceedings of the 15th ACM Conference on Computer and Communications Security, 2008, pp. 51–62. doi:10.1145/1455770.1455779.
33.
J.Dugan, S.Elliott, B.A.Mah, J.Poskanzer and K.Prabhu, iperf – the ultimate speed test tool for tcp, udp and sctp, 2020, https://iperf.fr/.
34.
C.Dwork and M.Naor, Pricing via processing or combatting junk mail, in: Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO’92, Springer-Verlag, 1992.
35.
R.Feldman and I.Dagan, Knowledge discovery in textual databases (kdt), in: Proceedings of the First International Conference on Knowledge Discovery and Data Mining, KDD’95, AAAI Press, 1995, pp. 112–117.
36.
D.Fisher, Cryptographers aim to find new password hashing algorithm, 2013, https://threatpost.com/cryptographers-aim-find-new-password-hashing-algorithm-021513/77535/.
37.
J.Franklin, M.Luk, J.M.McCune, A.Seshadri, A.Perrig and L.Van Doorn, Remote detection of virtual machine monitors with fuzzy benchmarking, ACM SIGOPS Operating Systems Review42(3) (2008), 83–92. doi:10.1145/1368506.1368518.
38.
M.Graziano, D.Canali, L.Bilge, A.Lanzi and D.Balzarotti, Needles in a haystack: Mining information from public dynamic analysis sandboxes for malware intelligence, in: Proceedings of the 24rd USENIX Security Symposium (USENIX Security), 2015.
39.
G.Gu, V.Yegneswaran, P.Porras, J.Stoll and W.Lee, Active botnet probing to identify obscure command and control channels, in: Proceedings of 2009 Annual Computer Security Applications Conference (ACSAC’09), 2009.
M.Hellman, A cryptanalytic time-memory trade-off, IEEE Transactions on Information Theory26(4) (1980), 401–406. doi:10.1109/TIT.1980.1056220.
42.
G.Ho, D.Boneh, L.Ballard and N.Provos, Tick tock: Building browser red pills from timing side channels, in: 8th {USENIX} Workshop on Offensive Technologies ({WOOT} 14), 2014.
43.
T.Hornby and A.Peslyak, yescrypt – scalable kdf and password hashing scheme, 2015, www.openwall.com/yescrypt.
44.
T.Huo, X.Meng, W.Wang, C.Hao, P.Zhao, J.Zhai and M.Li, Bluethunder: A 2-level directional predictor based side-channel attack against sgx, Vol. 2020, 2019, pp. 321–347.
45.
Infosecurity Magazine. Cybercrime costs global economy $2.9m per minute. https://www.infosecurity-magazine.com/news/cybercrime-costs-global-economy/, 2019.
46.
M.G.Kang, P.Poosankam and H.Y.Renovo, A hidden code extractor for packed executables, in: Proceedings of the 2007 ACM Workshop on Recurring Malcode, WORM’07, Association for Computing Machinery, New York, NY, USA, 2007, pp. 46–53. doi:10.1145/1314389.1314399.
47.
D.Kirat, G.Vigna and C.K.Barecloud, Bare-metal analysis-based evasive malware detection, in: 23rd USENIX Security Symposium (USENIX Security 14), USENIX Association, San Diego, CA, 2014, pp. 287–301.
48.
P.Kocher, J.Horn, A.Fogh, D.Genkin, D.Gruss, W.Haas, M.Hamburg, M.Lipp, S.Mangard, T.Prescher, M.Schwarz and Y.Yarom, Spectre attacks: Exploiting speculative execution, in: 40th IEEE Symposium on Security and Privacy (S&P’19), 2019.
49.
P.C.Kocher, Timing attacks on implementations of Diffie-Hellman, rsa, dss, and other systems, in: Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO’96, Springer-Verlag, Berlin, Heidelberg, 1996, pp. 104–113.
50.
P.C.Kocher, J.Jaffe and B.Jun, Differential power analysis, in: Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO’99, Springer-Verlag, Berlin, Heidelberg, 1999, pp. 388–397. doi:10.1007/3-540-48405-1_25.
51.
C.Kolbitsch, T.Holz, C.Kruegel and E.Kirda, Inspector gadget: Automated extraction of proprietary gadgets from malware binaries, in: 31st IEEE Symposium on Security and Privacy, S&P 2010, 16–19 May 2010, IEEE Computer Society, Berleley/Oakland, California, USA, 2010, pp. 29–44. doi:10.1109/SP.2010.10.
52.
P.Kotzias, L.Bilge and J.Caballero, Measuring PUP prevalence and PUP distribution through pay-per-install services, in: Proceedings of the 25th USENIX Security Symposium, 2016.
53.
P.Labs, Filecoin: a decentralized storage network, 2020, https://filecoin.io/.
54.
A.Lanzi, D.Balzarotti, C.Kruegel, M.Christodorescu and E.Kirda, Accessminer: Using system-centric models for malware protection, in: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4–8, 2010, E.Al-Shaer, A.D.Keromytis and V.Shmatikov, eds, ACM, 2010, pp. 399–412.
B.Laurie and R.Clayton, Proof-of-work proves not to work; version 0.2, in: Workshop on Economics and Information, Security, 2004.
57.
L.W.Li, G.Duc and R.Pacalet, Hardware-assisted memory tracing on new socs embedding fpga fabrics, in: Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, Association for Computing Machinery, New York, NY, USA, 2015, pp. 461–470.
58.
M.Lindorfer, C.Kolbitsch and P.Milani Comparetti, Detecting environment-sensitive malware, in: International Workshop on Recent Advances in Intrusion Detection, Springer, 2011, pp. 338–357. doi:10.1007/978-3-642-23644-0_18.
59.
M.Lipp, M.Schwarz, D.Gruss, T.Prescher, W.Haas, A.Fogh, J.Horn, S.Mangard, P.Kocher, D.Genkin, Y.Yarom and M.Hamburg, Meltdown: Reading kernel memory from user space, in: 27th USENIX Security Symposium (USENIX Security 18), 2018.
60.
L.Martignoni, M.Christodorescu and S.J.Omniunpack, Fast, generic, and safe unpacking of malware, in: ACSAC07, 2007.
61.
L.Martignoni, R.Paleari, G.Fresi Roglia and D.Bruschi, Testing CPU emulators, in: Proceedings of the 2009 International Conference on Software Testing and Analysis (ISSTA), ACM, Chicago, Illinois, USA, 2009, pp. 261–272.
62.
L.Martignoni, R.Paleari, G.Fresi Roglia and D.Bruschi, Testing system virtual machines, in: Proceedings of the 2010 International Symposium on Testing and Analysis (ISSTA), Trento, Italy, 2010.
63.
MDN web docs. performance.now(). https://developer.mozilla.org/en-US/docs/Web/API/Performance/now, 2020.
64.
N.Miramirkhani, M.P.Appini, N.Nikiforakis and M.Polychronakis, Spotless sandboxes: Evading malware analysis systems using wear-and-tear artifacts, in: 2017 IEEE Symposium on Security and Privacy (SP), 2017, pp. 1009–1024. doi:10.1109/SP.2017.42.
65.
A.Moser, C.Krügel and E.Kirda, Exploring multiple execution paths for malware analysis, in: 2007 IEEE Symposium on Security and Privacy (S&P 2007), 20–23 May 2007, IEEE Computer Society, Oakland, California, USA, 2007, pp. 231–245. doi:10.1109/SP.2007.17.
66.
S.Nakamoto, Bitcoin: A peer-to-peer electronic cash system,”, http://bitcoin.org/bitcoin.pdf.
67.
A.Nappa, P.Papadopoulos, M.Varvello, D.Aceituno Gomez, J.Tapiador and A.Lanzi, Pow-how: An enduring timing side-channel to evade online malware sandboxes, in: Computer Security – ESORICS 2021, E.Bertino, H.Shulman and M.Waidner, eds, Springer International Publishing, Cham, 2021, pp. 86–109. doi:10.1007/978-3-030-88418-5_5.
68.
A.Nappa, P.Papadopoulos, M.Varvello, J.Tapiador and A.Lanzi, PoC Behaviour (No Evasion) – anonymized, 2020, anonymized.
69.
A.Nappa, P.Papadopoulos, M.Varvello, J.Tapiador and A.Lanzi, 2021, Artifact repository, https://github.com/artifactrepo/Esorics2021_Paper159.
A.Nappa, Z.Xu, M.Zubair Rafique, J.Caballero and G.Gu.Cyberprobe, Towards Internet-scale active detection of malicious servers, in: Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS’14), 2014.
C.Oprişa and N.Ignat, A measure of similarity for binary programs with a hierarchical structure, in: 2015 IEEE International Conference on Intelligent Computer Communication and Processing (ICCP), 2015, pp. 117–123. doi:10.1109/ICCP.2015.7312615.
74.
Oreans. Advanced windows software protection system. https://www.oreans.com/themida.php, 2020.
R.Paleari, L.Martignoni, G.Fresi Roglia and D.Bruschi, A fistful of red-pills: How to automatically generate procedures to detect cpu emulators, in: Proceedings of the 3rd USENIX Conference on Offensive Technologies, WOOT’09, USENIX Association, USA, 2009, p. 2.
77.
T.Raffetseder, C.Krügel and E.Kirda, Detecting system emulators, in: Information Security, 10th International Conference, ISC 2007, Proceedings, Valparaíso, Chile, October 9–12, 2007, J.A.Garay, A.K.Lenstra, M.Mambo and R.Peralta, eds, Lecture Notes in Computer Science, Vol. 4779, Springer, 2007, pp. 1–18.
M.Sharif, A.Lanzi, J.Giffin and W.Lee, Automatic reverse engineering of malware emulators, Security and Privacy, IEEE Symposium on0 (2009), 94–109.
94.
R.Tanabe, W.Ueno, K.Ishii, K.Yoshioka, T.Matsumoto, T.Kasama, D.Inoue and C.Rossow, Evasive malware via identifier implanting, in: Detection of Intrusions and Malware, and Vulnerability Assessment, C.Giuffrida, S.Bardin and G.Blanc, eds, Springer International Publishing, Cham, 2018, pp. 162–184. doi:10.1007/978-3-319-93411-2_8.
95.
The Boost organization. Boost c++ libraries, 2020, https://www.boost.org/.
96.
J.Tromp, Cuckoo cycle: A memory bound graph-theoretic proof-of-work, in: International Conference on Financial Cryptography and Data Security, Springer, 2015, pp. 49–62. doi:10.1007/978-3-662-48051-9_4.
X.Ugarte-Pedrero, D.Balzarotti, I.Santos and P.G.Bringas, Sok: Deep packer inspection: A longitudinal study of the complexity of run-time packers, in: 2015 IEEE Symposium on Security and Privacy, 2015, pp. 659–673. doi:10.1109/SP.2015.46.
99.
I.Ul Haq, S.Chica, J.Caballero and S.Jha, Malware Lineage in the Wild. Computers & Security78(C) (2018), 347–363.
100.
J.Van Bulck, M.Minkin, O.Weisse, D.Genkin, B.Kasikci, F.Piessens, M.Silberstein, T.F.Wenisch, Y.Yarom and R.S.Foreshadow, Extracting the keys to the intel sgx kingdom with transient out-of-order execution, in: Proceedings of the 27th USENIX Conference on Security Symposium, SEC’18, USENIX Association, USA, 2018, pp. 991–1008.
101.
VirusShare. Virusshare.com – because sharing is caring. https://virusshare.com/l, 2020.
102.
T.Wang, T.Wei, G.Gu and W.Z.Taintscope, A checksum-aware directed fuzzing tool for automatic software vulnerability detection, in: Proceedings of the 31st IEEE Symposium on Security and Privacy (Oakland’10), 2010.
Z.Xu, A.Nappa, R.Baykov, G.Yang, J.Caballero and G.Gu.AutoProbe, Towards automatic active malicious server probing using dynamic binary analysis, in: Proceedings of the 21st ACM Conference on Computer and Communication Security, 2014.
108.
A.Yokoyama, K.Ishii, R.Tanabe, Y.Papa, K.Yoshioka, T.Matsumoto, T.Kasama, D.Inoue, M.Brengel, M.Backes and C.R.Sandprint, Fingerprinting malware sandboxes to provide intelligence for sandbox evasion, in: Research in Attacks, Intrusions, and Defenses, F.Monrose, M.Dacier, G.Blanc and J.Garcia-Alfaro, eds, Springer International Publishing, 2016.
