Detecting malware through anti-analysis signals - A preliminary study

Abstract

Malware is often designed to make analysis difficult – behaving differently if it detects that it is in an analysis environment. We propose that such anti-analysis malware can be detected by their antianalysis behavior in terms of certain signals. Signals form semantic features of potential anti-analysis techniques and are characterized as: weak, strong, or composite. We prototype a system to show the viability of detection. Experiments on malware and also non-malware show that both malware and non-malware can exhibit signals, however, antianalysis malware tends to have more and stronger signals. We present the malware with an environment which behaves either like an analysis environment or not – we find anti-analysis malware behave differently in both cases. Normal programs, however, do not exhibit such behavior even when they have some weak signals. Signal detection is shown to have potential of distinguishing anti-analysis malware from non-malware.