Stealth sandbox analysis of malware

Abstract

Malware is one of the biggest problems of the world of bits and bytes. Generally malware does activities a user normally does not do, such as becoming part of a virtual army or submitting confidential data of the user to the malware author. There are publicly available analysis services for unknown binaries. Sandbox analysis is performed by execution of an untrusted binary in an isolated environment. It is a very common technique for malware research. Publicly available sandbox analysis platforms help users to see traces of the execution without harming their system. Also it helps owners of the sandbox to collect malware and makes the job of analysts easier. One major problem of the public sandbox testing is that malware authors can also benefit from analysis of sandboxes. If they can identify sandbox systems they can hide malicious behavior. This thesis presents the publicly used Anubis sandbox, detection mechanisms used against Anubis[3], further possible detection mechanisms and our efforts for hiding fingerprint of Anubis from malware and decreasing the resulting false negative rates for the malware detection.