• DocumentCode
    2763965
  • Title

    Multiprocess malware

  • Author

    Ramilli, Marco ; Bishop, Matt ; Sun, Shining

  • Author_Institution
    DEIS, Univ. of Bologna, Cesena, Italy
  • fYear
    2011
  • fDate
    18-19 Oct. 2011
  • Firstpage
    8
  • Lastpage
    13
  • Abstract
    Malware behavior detectors observe the behavior of suspected malware by emulating its execution or executing it in a sandbox or other restrictive, instrumented environment. This assumes that the process, or process family, being monitored will exhibit the targeted behavior if it contains malware. We describe a technique for evading such detection by distributing the malware over multiple processes. We then present a method for countering this technique, and present results of tests that validate our claims.
  • Keywords
    invasive software; system monitoring; detection evasion; malware behavior detector; malware execution emulation; multiprocess malware; process monitoring; restrictive instrumented environment; sandbox execution; Detectors; Grippers; HTML; Internet; Software; Trojan horses;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Malicious and Unwanted Software (MALWARE), 2011 6th International Conference on
  • Conference_Location
    Fajardo
  • Print_ISBN
    978-1-4673-0031-5
  • Type

    conf

  • DOI
    10.1109/MALWARE.2011.6112320
  • Filename
    6112320