Description
Today, sandboxes are one of the most important techniques for dynamic
malware analysis. To perform an analysis, the malware sample is executed
in an instrumented and isolated environment for a certain amount of
time. As publicly available sandboxes have to serve a high amount of
requests, the time to execute a single malware sample is often limited
to only 1 or 2 minutes. However, so far no study on the evolution of
malware behavior over time exists. Consequently, it is unknown if such a
limited amount of time is actually sufficient to predict whether a
program is malicious or benign.
We developed a custom sandbox to combat this shortcoming of the current
state of research. We therefore leverage the PANDA full-system emulator.
Our sandbox carries out a fine-grained study of the evolvement of
malware behavior over time. The key of the system is to run a malware
sample for a long duration and measure how the code coverage evolves.
Assuming that new behavior comes with new executed code, the evolution
of code coverage gives us a hint about the evolution of additional
behavior exhibited by the malware sample throughout its run-time. By
executing this experiment for a large set of malware samples, we aim at
first determining realistic values for malware code coverage in
sandboxes and second studying the evolution of malware behavior. To
extract high-level information about the malware's behavior, we further
extract all system calls and provide data lifting of system and API
calls as well as the disassembly of executed basic blocks to identify
different phases of the malware sample's lifecycle. We present the
sandbox system together with preliminary results of the analysis.
|
