In my thesis work I did a research on malware and malware analysis, anti-analysis and anti-anti-analysis techniques. My intention was to create an extensive knowledge base about anti-sandbox techniques used by malware and to create a proof of concept tool for malware analysis which tricks the malware’s anti-sandbox methods.
The thesis presents the malware and its categorization and puts it in the context of today’s world from the point of view of both information security and global presence. Furthermore, it gives an insight about the market, the real-world state and the occuring problems related to malware analysis and malware analysis sandboxes and also introduces current malware analysis methodologies.
One of the main focuses of the thesis is to create a comprehensive knowledge base about the most anti-analysis techniques used by malware, especially those methods where the malware is using these schemes to look for sandbox and virtual machine presence. For this purpose it also features the anti-analysis countermeasures used in sandboxes in detail, called anti-anti-analysis techniques.
The other main focus is the development of the proof of concept tool, which is basically a swiss army knife for sandbox malware analysis. The aim of this tool is to deceive malware by hooking Windows API calls and making it look more like a legit system and not a sandbox.