Title :
Multiprocess malware
Author :
Ramilli, Marco ; Bishop, Matt ; Sun, Shining
Author_Institution :
DEIS, Univ. of Bologna, Cesena, Italy
Abstract :
Malware behavior detectors observe the behavior of suspected malware by emulating its execution or executing it in a sandbox or other restrictive, instrumented environment. This assumes that the process, or process family, being monitored will exhibit the targeted behavior if it contains malware. We describe a technique for evading such detection by distributing the malware over multiple processes. We then present a method for countering this technique, and present results of tests that validate our claims.
Keywords :
invasive software; system monitoring; detection evasion; malware behavior detector; malware execution emulation; multiprocess malware; process monitoring; restrictive instrumented environment; sandbox execution; Detectors; Grippers; HTML; Internet; Software; Trojan horses;
Conference_Titel :
Malicious and Unwanted Software (MALWARE), 2011 6th International Conference on
Conference_Location :
Fajardo
Print_ISBN :
978-1-4673-0031-5
DOI :
10.1109/MALWARE.2011.6112320
