Scramblesuit: An effective timing side-channels framework for malware sandbox evasion1
Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and ident...
Gespeichert in:
| Veröffentlicht in: | Journal of computer security 2022-11, Vol.30 (6), p.851-876 |
|---|---|
| Hauptverfasser: | , , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 876 |
|---|---|
| container_issue | 6 |
| container_start_page | 851 |
| container_title | Journal of computer security |
| container_volume | 30 |
| creator | Nappa, Antonio Úbeda-Portugués, Aaron Papadopoulos, Panagiotis Varvello, Matteo Tapiador, Juan Lanzi, Andrea |
| description | Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information in the reports produced by these services have also helped attackers test the efficacy of numerous techniques to make malware hard to detect. The most common technique used by malware for evading the analysis system is to monitor the execution environment, detect the presence of any debugging artifacts, and hide its malicious behavior if needed. This is usually achieved by looking for signals suggesting that the execution environment does not belong to a native machine, such as specific memory patterns or behavioral traits of certain CPU instructions. In this paper, we show how an attacker can evade detection on such analysis services by incorporating a Proof-of-Work (PoW) algorithm into a malware sample. Specifically, we leverage the asymptotic behavior of the computational cost of PoW algorithms when they run on some classes of hardware platforms to effectively detect a non bare-metal environment of the malware sandbox analyzer. To prove the validity of this intuition, we design and implement Scramblesuit, a framework to automatically (i) implement sandbox detection strategies, and (ii) embed a test evasion program into an arbitrary malware sample. We perform a comprehensive evaluation of Scramblesuit across a wide range of: 1) COTS architectures (ARM, Apple M1, i9, i7 and Xeon), 2) malware families, and 3) online sandboxes (JoeSandbox, Sysinternals, C2AE, Zenbox, Dr.Web VX Cube, Tencent HABO, YOMI Hunter). Our empirical evaluation shows that a PoW-based evasion technique is hard to fingerprint, and reduces existing malware detection rate by a factor of 10. The only plausible counter-measure to Scramblesuit is to rely on bare-metal online malware scanners, which is unrealistic given they currently handle millions of daily submissions. |
| doi_str_mv | 10.3233/JCS-220005 |
| format | Article |
| fullrecord | <record><control><sourceid>crossref</sourceid><recordid>TN_cdi_crossref_primary_10_3233_JCS_220005</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>10_3233_JCS_220005</sourcerecordid><originalsourceid>FETCH-crossref_primary_10_3233_JCS_2200053</originalsourceid><addsrcrecordid>eNqVzrFuwjAUhWGrolJD24UnuDNSiu00JGFDUVHVlarqZplwDYbERr4h0LcniL4A0xnOP3yMjQR_S2SSTL7KZSwl5zx9YJHIszTOC_k-YBEv5LR_st8nNiTacS6FKPKI_SyroJtVjXS07QzmDtAYrFrbIbS2sW4DZNcYV1vtHNYEps_x5MMejA_Q6PqkAwJpt175M2CnyXonXtij0TXh6_8-s_Hi47v8jKvgiQIadQi20eFPCa6uctXL1U2e3BVfAMB1Smg</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Scramblesuit: An effective timing side-channels framework for malware sandbox evasion1</title><source>EBSCOhost Business Source Complete</source><creator>Nappa, Antonio ; Úbeda-Portugués, Aaron ; Papadopoulos, Panagiotis ; Varvello, Matteo ; Tapiador, Juan ; Lanzi, Andrea</creator><creatorcontrib>Nappa, Antonio ; Úbeda-Portugués, Aaron ; Papadopoulos, Panagiotis ; Varvello, Matteo ; Tapiador, Juan ; Lanzi, Andrea</creatorcontrib><description>Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information in the reports produced by these services have also helped attackers test the efficacy of numerous techniques to make malware hard to detect. The most common technique used by malware for evading the analysis system is to monitor the execution environment, detect the presence of any debugging artifacts, and hide its malicious behavior if needed. This is usually achieved by looking for signals suggesting that the execution environment does not belong to a native machine, such as specific memory patterns or behavioral traits of certain CPU instructions. In this paper, we show how an attacker can evade detection on such analysis services by incorporating a Proof-of-Work (PoW) algorithm into a malware sample. Specifically, we leverage the asymptotic behavior of the computational cost of PoW algorithms when they run on some classes of hardware platforms to effectively detect a non bare-metal environment of the malware sandbox analyzer. To prove the validity of this intuition, we design and implement Scramblesuit, a framework to automatically (i) implement sandbox detection strategies, and (ii) embed a test evasion program into an arbitrary malware sample. We perform a comprehensive evaluation of Scramblesuit across a wide range of: 1) COTS architectures (ARM, Apple M1, i9, i7 and Xeon), 2) malware families, and 3) online sandboxes (JoeSandbox, Sysinternals, C2AE, Zenbox, Dr.Web VX Cube, Tencent HABO, YOMI Hunter). Our empirical evaluation shows that a PoW-based evasion technique is hard to fingerprint, and reduces existing malware detection rate by a factor of 10. The only plausible counter-measure to Scramblesuit is to rely on bare-metal online malware scanners, which is unrealistic given they currently handle millions of daily submissions.</description><identifier>ISSN: 0926-227X</identifier><identifier>EISSN: 1875-8924</identifier><identifier>DOI: 10.3233/JCS-220005</identifier><language>eng</language><ispartof>Journal of computer security, 2022-11, Vol.30 (6), p.851-876</ispartof><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><cites>FETCH-crossref_primary_10_3233_JCS_2200053</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>314,776,780,27901,27902</link.rule.ids></links><search><creatorcontrib>Nappa, Antonio</creatorcontrib><creatorcontrib>Úbeda-Portugués, Aaron</creatorcontrib><creatorcontrib>Papadopoulos, Panagiotis</creatorcontrib><creatorcontrib>Varvello, Matteo</creatorcontrib><creatorcontrib>Tapiador, Juan</creatorcontrib><creatorcontrib>Lanzi, Andrea</creatorcontrib><title>Scramblesuit: An effective timing side-channels framework for malware sandbox evasion1</title><title>Journal of computer security</title><description>Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information in the reports produced by these services have also helped attackers test the efficacy of numerous techniques to make malware hard to detect. The most common technique used by malware for evading the analysis system is to monitor the execution environment, detect the presence of any debugging artifacts, and hide its malicious behavior if needed. This is usually achieved by looking for signals suggesting that the execution environment does not belong to a native machine, such as specific memory patterns or behavioral traits of certain CPU instructions. In this paper, we show how an attacker can evade detection on such analysis services by incorporating a Proof-of-Work (PoW) algorithm into a malware sample. Specifically, we leverage the asymptotic behavior of the computational cost of PoW algorithms when they run on some classes of hardware platforms to effectively detect a non bare-metal environment of the malware sandbox analyzer. To prove the validity of this intuition, we design and implement Scramblesuit, a framework to automatically (i) implement sandbox detection strategies, and (ii) embed a test evasion program into an arbitrary malware sample. We perform a comprehensive evaluation of Scramblesuit across a wide range of: 1) COTS architectures (ARM, Apple M1, i9, i7 and Xeon), 2) malware families, and 3) online sandboxes (JoeSandbox, Sysinternals, C2AE, Zenbox, Dr.Web VX Cube, Tencent HABO, YOMI Hunter). Our empirical evaluation shows that a PoW-based evasion technique is hard to fingerprint, and reduces existing malware detection rate by a factor of 10. The only plausible counter-measure to Scramblesuit is to rely on bare-metal online malware scanners, which is unrealistic given they currently handle millions of daily submissions.</description><issn>0926-227X</issn><issn>1875-8924</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><recordid>eNqVzrFuwjAUhWGrolJD24UnuDNSiu00JGFDUVHVlarqZplwDYbERr4h0LcniL4A0xnOP3yMjQR_S2SSTL7KZSwl5zx9YJHIszTOC_k-YBEv5LR_st8nNiTacS6FKPKI_SyroJtVjXS07QzmDtAYrFrbIbS2sW4DZNcYV1vtHNYEps_x5MMejA_Q6PqkAwJpt175M2CnyXonXtij0TXh6_8-s_Hi47v8jKvgiQIadQi20eFPCa6uctXL1U2e3BVfAMB1Smg</recordid><startdate>20221123</startdate><enddate>20221123</enddate><creator>Nappa, Antonio</creator><creator>Úbeda-Portugués, Aaron</creator><creator>Papadopoulos, Panagiotis</creator><creator>Varvello, Matteo</creator><creator>Tapiador, Juan</creator><creator>Lanzi, Andrea</creator><scope>AAYXX</scope><scope>CITATION</scope></search><sort><creationdate>20221123</creationdate><title>Scramblesuit: An effective timing side-channels framework for malware sandbox evasion1</title><author>Nappa, Antonio ; Úbeda-Portugués, Aaron ; Papadopoulos, Panagiotis ; Varvello, Matteo ; Tapiador, Juan ; Lanzi, Andrea</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-crossref_primary_10_3233_JCS_2200053</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Nappa, Antonio</creatorcontrib><creatorcontrib>Úbeda-Portugués, Aaron</creatorcontrib><creatorcontrib>Papadopoulos, Panagiotis</creatorcontrib><creatorcontrib>Varvello, Matteo</creatorcontrib><creatorcontrib>Tapiador, Juan</creatorcontrib><creatorcontrib>Lanzi, Andrea</creatorcontrib><collection>CrossRef</collection><jtitle>Journal of computer security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Nappa, Antonio</au><au>Úbeda-Portugués, Aaron</au><au>Papadopoulos, Panagiotis</au><au>Varvello, Matteo</au><au>Tapiador, Juan</au><au>Lanzi, Andrea</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Scramblesuit: An effective timing side-channels framework for malware sandbox evasion1</atitle><jtitle>Journal of computer security</jtitle><date>2022-11-23</date><risdate>2022</risdate><volume>30</volume><issue>6</issue><spage>851</spage><epage>876</epage><pages>851-876</pages><issn>0926-227X</issn><eissn>1875-8924</eissn><abstract>Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information in the reports produced by these services have also helped attackers test the efficacy of numerous techniques to make malware hard to detect. The most common technique used by malware for evading the analysis system is to monitor the execution environment, detect the presence of any debugging artifacts, and hide its malicious behavior if needed. This is usually achieved by looking for signals suggesting that the execution environment does not belong to a native machine, such as specific memory patterns or behavioral traits of certain CPU instructions. In this paper, we show how an attacker can evade detection on such analysis services by incorporating a Proof-of-Work (PoW) algorithm into a malware sample. Specifically, we leverage the asymptotic behavior of the computational cost of PoW algorithms when they run on some classes of hardware platforms to effectively detect a non bare-metal environment of the malware sandbox analyzer. To prove the validity of this intuition, we design and implement Scramblesuit, a framework to automatically (i) implement sandbox detection strategies, and (ii) embed a test evasion program into an arbitrary malware sample. We perform a comprehensive evaluation of Scramblesuit across a wide range of: 1) COTS architectures (ARM, Apple M1, i9, i7 and Xeon), 2) malware families, and 3) online sandboxes (JoeSandbox, Sysinternals, C2AE, Zenbox, Dr.Web VX Cube, Tencent HABO, YOMI Hunter). Our empirical evaluation shows that a PoW-based evasion technique is hard to fingerprint, and reduces existing malware detection rate by a factor of 10. The only plausible counter-measure to Scramblesuit is to rely on bare-metal online malware scanners, which is unrealistic given they currently handle millions of daily submissions.</abstract><doi>10.3233/JCS-220005</doi></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 0926-227X |
| ispartof | Journal of computer security, 2022-11, Vol.30 (6), p.851-876 |
| issn | 0926-227X 1875-8924 |
| language | eng |
| recordid | cdi_crossref_primary_10_3233_JCS_220005 |
| source | EBSCOhost Business Source Complete |
| title | Scramblesuit: An effective timing side-channels framework for malware sandbox evasion1 |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-21T19%3A51%3A11IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-crossref&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Scramblesuit:%20An%20effective%20timing%20side-channels%20framework%20for%20malware%20sandbox%20evasion1&rft.jtitle=Journal%20of%20computer%20security&rft.au=Nappa,%20Antonio&rft.date=2022-11-23&rft.volume=30&rft.issue=6&rft.spage=851&rft.epage=876&rft.pages=851-876&rft.issn=0926-227X&rft.eissn=1875-8924&rft_id=info:doi/10.3233/JCS-220005&rft_dat=%3Ccrossref%3E10_3233_JCS_220005%3C/crossref%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |