Advanced or Not? A Comparative Study of the Use of Anti-debugging and Anti-VM Techniques in Generic and Targeted Malware - ICT Systems Security and Privacy Protection
Conference Papers Year : 2016

Advanced or Not? A Comparative Study of the Use of Anti-debugging and Anti-VM Techniques in Generic and Targeted Malware

Abstract

Malware is becoming more and more advanced. As part of the sophistication, malware typically deploys various anti-debugging and anti-VM techniques to prevent detection. While defenders use debuggers and virtualized environment to analyze malware, malware authors developed anti-debugging and anti-VM techniques to evade this defense approach. In this paper, we investigate the use of anti-debugging and anti-VM techniques in modern malware, and compare their presence in 16,246 generic and 1,037 targeted malware samples (APTs). As part of this study we found several counter-intuitive trends. In particular, our study concludes that targeted malware does not use more anti-debugging and anti-VM techniques than generic malware, although targeted malware tend to have a lower antivirus detection rate. Moreover, this paper even identifies a decrease over time of the number of anti-VM techniques used in APTs and the Winwebsec malware family.
Fichier principal
Vignette du fichier
421518_1_En_22_Chapter.pdf (486.16 Ko) Télécharger le fichier
Origin Files produced by the author(s)
Loading...

Dates and versions

hal-01369566 , version 1 (21-09-2016)

Licence

Identifiers

Cite

Ping Chen, Christophe Huygens, Lieven Desmet, Wouter Joosen. Advanced or Not? A Comparative Study of the Use of Anti-debugging and Anti-VM Techniques in Generic and Targeted Malware. 31st IFIP International Information Security and Privacy Conference (SEC), May 2016, Ghent, Belgium. pp.323-336, ⟨10.1007/978-3-319-33630-5_22⟩. ⟨hal-01369566⟩
178 View
230 Download

Altmetric

Share

More