DocumentCode
2763965
Title
Multiprocess malware
Author
Ramilli, Marco ; Bishop, Matt ; Sun, Shining
Author_Institution
DEIS, Univ. of Bologna, Cesena, Italy
fYear
2011
fDate
18-19 Oct. 2011
Firstpage
8
Lastpage
13
Abstract
Malware behavior detectors observe the behavior of suspected malware by emulating its execution or executing it in a sandbox or other restrictive, instrumented environment. This assumes that the process, or process family, being monitored will exhibit the targeted behavior if it contains malware. We describe a technique for evading such detection by distributing the malware over multiple processes. We then present a method for countering this technique, and present results of tests that validate our claims.
Keywords
invasive software; system monitoring; detection evasion; malware behavior detector; malware execution emulation; multiprocess malware; process monitoring; restrictive instrumented environment; sandbox execution; Detectors; Grippers; HTML; Internet; Software; Trojan horses;
fLanguage
English
Publisher
ieee
Conference_Titel
Malicious and Unwanted Software (MALWARE), 2011 6th International Conference on
Conference_Location
Fajardo
Print_ISBN
978-1-4673-0031-5
Type
conf
DOI
10.1109/MALWARE.2011.6112320
Filename
6112320
Link To Document