Noninvasive detection of anti-forensic malware

Mordehai Guri, Gabi Kedma, Tom Sela, Buky Carmeli, Amit Rosner, Yuval Elovici

2013 8th International Conference on Malicious and Unwanted Software:" The …, 2013

Modern malicious programs often escape dynamic analysis, by detecting forensic instrumentation within their own runtime environment. This has become a major challenge for malware researchers and analysts. Current defensive analysis of anti-forensic malware often requires painstaking step-by-step manual inspection. Code obfuscation may further complicate proper analysis. Furthermore, current defensive countermeasures are usually effective only against anti-forensic techniques which have already been identified. In this paper we propose a new method to detect and classify anti-forensic behavior, by comparing the trace-logs of the suspect program between different environments. Unlike previous works, the presented method is essentially noninvasive (does not interfere with original program flow). We separately trace the flow of instructions (Opcode) and the flow of Input-Output operations (IO). The two …