Högskolan i Skövde

his.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Impersonating a sandbox against evasive malware
University of Skövde, School of Informatics.
2022 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesis
Abstract [en]

The steadily increasing amount of malware puts an even larger amount of work required to analyze all the gathered samples. The current methods of analyzing malware come with their downsides such as inefficiency as a manual analysis requires a human or dynamic analysis that could be considered unreliable. The usage of dynamic malware analysis where the malware is executed in a sandbox environment is proven to be an efficient method of analyzing malware. As the techniques used to protect the system evolves, so do the attacking techniques. Some of the malware uses advanced evasion techniques to avoid detection from these sandbox analyzing environments, which causes the malware to be cleared and later executed in a real, target environment. These evasion techniques can find certain artifacts in the system which is inherent to a sandbox environment. Previous studies mention the lack of transparency between the virtual and physical host to be one of the bigger giveaways for the malware when looking for artifacts. There is also a grey area regarding how the malware acts and behaves, trying to assess and figure out if it is in a sandbox or not. This paper focused on creating a sandboxing analyzing environment within a physical machine, using all the dead giveaways by keeping the system as minimal as possible with only analyzing tools and software, in other words creating a fake sandbox environment. 12 samples of malware were analyzed in the two environments and the results show that the malware interacts more within the physical system and uses different APIs, System calls, and dlls compared to the virtual system. The malware samples, after its running process, resulted in similar activities on both systems which indicated that mimicking a sandbox could be effective to deter evasive malware. 

Place, publisher, year, edition, pages
2022. , p. 39
Keywords [en]
evasive, malware, malware analysis, comparison, sandbox
National Category
Information Systems
Identifiers
URN: urn:nbn:se:his:diva-22020OAI: oai:DiVA.org:his-22020DiVA, id: diva2:1708386
Subject / course
Informationsteknologi
Educational program
Privacy, Information and Cyber Security - Master's Programme 120 ECTS
Supervisors
Examiners
Available from: 2022-11-03 Created: 2022-11-03 Last updated: 2022-11-03Bibliographically approved

Open Access in DiVA

fulltext(599 kB)304 downloads
File information
File name FULLTEXT01.pdfFile size 599 kBChecksum SHA-512
069eadfd3db62878e70d7a552be50ce1193372142ccfc808bc5598d81e9f8df42f8505dc1d33115d3ec1d3c4dd77cf97faceb31b3dd3fcb5eb207d80b0f61dc0
Type fulltextMimetype application/pdf

By organisation
School of Informatics
Information Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 304 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 1071 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf