Detecting Environment-Sensitive Malware Based on Taint Analysis

Dynamic analysis technique extracts malicious behavior by monitoring the execution of malware. But due to the differences between analysis environment and real environment, Malware can easily hide its malicious behavior in suspicious environment. This paper proposed a method in detecting environment-sensitive malware based on taint analysis, which monitored the use of environment-sensitive features, and detected malicious behavior by executing along hidden path. Our approach firstly extracted sensitive system calls and special instructions to mark tainted features, then achieved environment-sensitive controlled jump based on taint propagation analysis while code was running, and at last forced execution along different paths according to the extraction of path jump constraint conditions. We designed and implemented a prototype that can be automatically applied on malware analysis. The evaluation of the prototype by comparing with static and dynamic tools showed it can recognize the environment-sensitive features comprehensively, and can effectively increase the ability in malware detection with high efficiency.