Malware through the looking glass : malware analysis in an evolving threat landscape

Abstract

Malware has become a multi-million dollar industry and is the basis of many forms of cybercrime. Motivated by financial gains, malware authors are constantly evolving their code to evade security defenses and exploit new monetization techniques. Developing effective and efficient analysis methods is an arms race against malware authors. One current challenge is that malware authors overwhelm analysis systems with an increasing number of malware samples, which are mostly repacked versions of already known malware. We develop novel techniques to compare multiple versions of self-updating malware. By associating the high-level behavior of malware with the functional components that implement it, we can observe the evolution of malware families and highlight interesting components for further analysis. With the emergence of mobile platforms, malware has spread to these devices as well. Mobile devices provide malware with new ways for monetization and pose unique challenges for building defenses by limiting the capabilities of on-device defenses. We build a large-scale public analysis sandbox for Android apps, called Andrubis, as a cloud-based service. We leverage the large and diverse dataset of over one million Android apps Andrubis collected to gain insights into the behavior and evolution of Android malware. Furthermore, we use machine learning to build a robust classifier that can automatically distinguish benign from malicious apps with high accuracy. Finally, as mobile platforms led to the emergence of application markets as the main app distribution channel, we present an Android market radar for the fast discovery of malware in alternative application markets.