Fighting Evasive Malware: How to Pass the Reverse Turing Test By Utilizing a VMI-Based Human Interaction Simulator

Gruber J, Freiling F (2022)

Publication Type: Conference contribution

Publication year: 2022

Publisher: Gesellschaft fur Informatik (GI)

Book Volume: P-323

Pages Range: 49-64

Conference Proceedings Title: Lecture Notes in Informatics (LNI), Proceedings - Series of the Gesellschaft fur Informatik (GI)

Event location: Karlsruhe DE

ISBN: 9783885797173

DOI: 10.18420/sicherheit2022_03

Abstract

Sandboxes are an indispensable tool in dynamic malware analysis today. However, modern malware often employs sandbox-detection methods to exhibit non-malicious behavior within sandboxes and therefore evade automatic analysis. One category of sandbox-detection techniques are reverse Turing tests (RTTs) to determine the presence of a human operator. In order to pass these RTTs, we propose a novel approach which builds upon virtual machine introspection (VMI) to automatically reconstruct the graphical user interface, determine clickable buttons and inject human interface device events via direct control of virtualized human interface devices in a stealthy way. We extend the VMI-based open-source sandbox DRAKVUF with our approach and show that it successfully passes RTTs commonly employed by malware in the wild to detect sandboxes.

Authors with CRIS profile

Jan Gruber Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Felix Freiling Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)

How to cite

APA:

Gruber, J., & Freiling, F. (2022). Fighting Evasive Malware: How to Pass the Reverse Turing Test By Utilizing a VMI-Based Human Interaction Simulator. In Christian Wressnegger, Delphine Reinhardt, Thomas Barber, Bernhard C. Witt, Daniel Arp, Zoltan Mann (Eds.), Lecture Notes in Informatics (LNI), Proceedings - Series of the Gesellschaft fur Informatik (GI) (pp. 49-64). Karlsruhe, DE: Gesellschaft fur Informatik (GI).

MLA:

Gruber, Jan, and Felix Freiling. "Fighting Evasive Malware: How to Pass the Reverse Turing Test By Utilizing a VMI-Based Human Interaction Simulator." Proceedings of the Sicherheit, Schutz und Zuverlassigkeit: Konferenzband der 11. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft fur Informatik e.V. (GI), Karlsruhe Ed. Christian Wressnegger, Delphine Reinhardt, Thomas Barber, Bernhard C. Witt, Daniel Arp, Zoltan Mann, Gesellschaft fur Informatik (GI), 2022. 49-64.

BibTeX: Download