Large-Scale Analysis on Anti-Analysis Techniques in Real-World Malware

To dynamically identify malicious behaviors of millions of Windows malware, anti-virus vendors have widely been using sandbox-based analyzers. However, the sandbox-based analysis has a critical limitation that anti-analysis techniques (i.e., Anti-sandbox and Anti-VM techniques) can easily detect analyzers and evade from being analyzed. In this work, we study on anti-analysis techniques used in real-world malware. First off, to measure how many Windows malware exhibits anti-analysis techniques, we collect anti-analysis techniques used in malware. We, then, design and implement an automated system, named EvDetector, that detects malware which employ anti-analysis techniques. EvDetector finds if malware uses an anti-analysis technique and monitors whether the malware changes its execution paths based on the result of the anti-analysis technique. By using EvDetector, we analyzed 763,985 real-world malware that emerged from 2017 to 2020. Our evaluation results show that 16.21% of malware use anti-analysis techniques on average. Also, we check the effectiveness of the analysis result by comparing EvDetector and static analysis. EvDetector analyzes up to 49.88% of malware detected by static analysis did not use anti-analysis techniques. In addition, we analyze that only up to 3.75% of the packed malware used anti-analysis techniques. Finally, we analyze the evasive malware trend through familial analysis and behavioral analysis. Our work implies that the research community needs to put more effort on defeating such anti-analysis techniques to automatically analyze emerging malware and respond with them.