{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,10]],"date-time":"2025-09-10T22:33:51Z","timestamp":1757543631706,"version":"3.40.3"},"publisher-location":"Cham","reference-count":61,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783319934105"},{"type":"electronic","value":"9783319934112"}],"license":[{"start":{"date-parts":[[2018,1,1]],"date-time":"2018-01-01T00:00:00Z","timestamp":1514764800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018]]},"DOI":"10.1007\/978-3-319-93411-2_8","type":"book-chapter","created":{"date-parts":[[2018,6,7]],"date-time":"2018-06-07T07:49:28Z","timestamp":1528357768000},"page":"162-184","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["Evasive Malware via Identifier Implanting"],"prefix":"10.1007","author":[{"given":"Rui","family":"Tanabe","sequence":"first","affiliation":[]},{"given":"Wataru","family":"Ueno","sequence":"additional","affiliation":[]},{"given":"Kou","family":"Ishii","sequence":"additional","affiliation":[]},{"given":"Katsunari","family":"Yoshioka","sequence":"additional","affiliation":[]},{"given":"Tsutomu","family":"Matsumoto","sequence":"additional","affiliation":[]},{"given":"Takahiro","family":"Kasama","sequence":"additional","affiliation":[]},{"given":"Daisuke","family":"Inoue","sequence":"additional","affiliation":[]},{"given":"Christian","family":"Rossow","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2018,6,8]]},"reference":[{"key":"8_CR1","unstructured":"Advanced persistent threats: how they work. \n                      https:\/\/www.symantec.com\/theme.jsp?themeid=apt-infographic-1"},{"key":"8_CR2","unstructured":"APT [Advanced Persistent Threat]. \n                      http:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/advanced-persistent-threat"},{"key":"8_CR3","unstructured":"bochs: The open source IA-32 emulation project. \n                      http:\/\/bochs.sourceforge.net"},{"key":"8_CR4","unstructured":"Darwins favorite APT group. \n                      https:\/\/www.fireeye.com\/blog\/threat-research\/2014\/09\/darwins-favorite-apt-group-2.html"},{"key":"8_CR5","unstructured":"Malwr - malware analysis by cuckoo sandbox. \n                      https:\/\/malwr.com\/"},{"key":"8_CR6","unstructured":"The mystery of the encrypted gauss payload. \n                      https:\/\/securelist.com\/the-mystery-of-the-encrypted-gauss-payload-5\/33561\/"},{"key":"8_CR7","unstructured":"NVMTrace: Proof-of-concept automated baremetal malware analysis framework. \n                      https:\/\/code.google.com\/p\/nvmtrace\/"},{"key":"8_CR8","unstructured":"Oracle VM VirtualBox. \n                      https:\/\/www.virtualbox.org"},{"key":"8_CR9","unstructured":"Public key pinning extension for http. \n                      https:\/\/tools.ietf.org\/html\/rfc7469"},{"key":"8_CR10","unstructured":"VMware. \n                      http:\/\/www.vmware.com\/"},{"key":"8_CR11","unstructured":"Detecting android sandboxes (2012). \n                      http:\/\/www.dexlabs.org\/blog\/btdetect"},{"key":"8_CR12","unstructured":"Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Engin, K., Vigna, G.: Efficient detection of split personalities in malware. In: Proceedings of the Symposium on Network and Distributed System Security, ser. NDSS 2010 (2010)"},{"key":"8_CR13","unstructured":"Barbosa, G.N., Branco, R.R.: Prevalent characteristics in modern malware (2014). \n                      https:\/\/www.blackhat.com\/docs\/us-14\/materials\/us-14-Branco-Prevalent-Characteristics-In-Modern-Malware.pdf"},{"issue":"5","key":"8_CR14","doi-asserted-by":"publisher","first-page":"164","DOI":"10.1145\/1165389.945462","volume":"37","author":"P Barham","year":"2003","unstructured":"Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. SIGOPS Oper. Syst. Rev. 37(5), 164\u2013177 (2003)","journal-title":"SIGOPS Oper. Syst. Rev."},{"key":"8_CR15","unstructured":"Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: A view on current malware behaviors. In: Proceedings of the 2nd USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, ser. LEET 2009, p. 8 (2009)"},{"key":"8_CR16","unstructured":"Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: Proceedings of the Symposium on Network and Distributed System Security, ser. NDSS 2009 (2009)"},{"key":"8_CR17","unstructured":"Bellard, F.: QEMU, a fast and portable dynamic translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ser. ATEC 2005, p. 41 (2005)"},{"key":"8_CR18","unstructured":"Branco, R.R., Barbosa, G.N., Neto, P.D.: Scientific but academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies (2012). \n                      http:\/\/research.dissect.pe\/docs\/blackhat2012-paper.pdf"},{"key":"8_CR19","unstructured":"Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: Proceedings of the 20th USENIX Security Symposium (2011)"},{"key":"8_CR20","unstructured":"Candid, W.: Does malware still detect virtual machines? (2014). \n                      https:\/\/www.symantec.com\/connect\/blogs\/does-malware-still-detect-virtual-machines"},{"key":"8_CR21","unstructured":"Carsten, W., Ralf, H., Thorsten, H.: CXPInspector: Hypervisor-Based, Hardware-Assisted System Monitoring (2012)"},{"key":"8_CR22","unstructured":"Chen, X., Andersen, J., Mao, Z., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: Proceedings of the 38th Annual IEEE International Conference on Dependable Systems and Networks, ser. DSN 2008, pp. 177\u2013186 (2008)"},{"key":"8_CR23","unstructured":"Chengyu, S., Paul, R., Wenke, L.: Impeding automated malware analysis with environment-sensitive malware. In: Proceedings of the 7th USENIX Conference on Hot Topics in Security, ser. HotSec 2012 (2012)"},{"key":"8_CR24","doi-asserted-by":"crossref","unstructured":"Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, ser. CCS 2008, pp. 51\u201362 (2008)","DOI":"10.1145\/1455770.1455779"},{"issue":"2","key":"8_CR25","first-page":"6:1","volume":"44","author":"M Egele","year":"2008","unstructured":"Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 6:1\u20136:42 (2008)","journal-title":"ACM Comput. Surv."},{"key":"8_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"319","DOI":"10.1007\/11555827_19","volume-title":"Computer Security \u2013 ESORICS 2005","author":"FC Freiling","year":"2005","unstructured":"Freiling, F.C., Holz, T., Wicherski, G.: Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks. In: di Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 319\u2013335. Springer, Heidelberg (2005). \n                      https:\/\/doi.org\/10.1007\/11555827_19"},{"key":"8_CR27","unstructured":"Garfinkel, T., Adams, K., Warfield, A., Franklin, J.: Compatibility is not transparency: VMM detection myths and realities. In: Proceedings of the 11th USENIX Workshop on Hot Topics in Operating Systems, ser. HOTOS 2007, pp. 6:1\u20136:6 (2007)"},{"key":"8_CR28","unstructured":"Hao, S., Abdulla, A., Jelena, M.: Cardinal pill testing of system virtual machines. In: Proceedings of the 23rd USENIX Security Symposium (2014)"},{"key":"8_CR29","unstructured":"Ishimaru, S.: Why corrupted (?) samples in recent APT? case of Japan and Taiwan. \n                      https:\/\/hitcon.org\/2016\/pacific\/0composition\/pdf\/1201\/1201%20R1%201500%20why%20corrupted%20samples%20in%20recent%20apt.pdf"},{"key":"8_CR30","doi-asserted-by":"crossref","unstructured":"Jing, Y., Zhao, Z., Ahn, G.-J., Hu, H.: Morpheus: automatically generating heuristics to detect android emulators. In: Proceedings of the 30th Annual Computer Security Applications Conference, ser. ACSAC 2014 (2014)","DOI":"10.1145\/2664243.2664250"},{"key":"8_CR31","doi-asserted-by":"crossref","unstructured":"Mayer, J.R., Mitchell, J.C.: Third-party web tracking: policy and technology. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy, ser. S&P 2012, pp. 413\u2013427 (2012)","DOI":"10.1109\/SP.2012.47"},{"key":"8_CR32","unstructured":"Jung, P.: Bypassing sandboxes for fun. \n                      https:\/\/www.botconf.eu\/wp-content\/uploads\/2014\/12\/2014-2.7-Bypassing-Sandboxes-for-Fun.pdf"},{"key":"8_CR33","unstructured":"Kirat, D., Vigna, G., Kruegel, C.: BareCloud: bare-metal analysis-based evasive malware detection. In: Proceedings of the 23rd USENIX Security Symposium (2014)"},{"key":"8_CR34","doi-asserted-by":"crossref","unstructured":"Kirati, D., Vigna, G., Kruegel, C.: Barebox: efficient malware analysis on bare-metal. In: Proceedings of the 27th Annual Computer Security Applications Conference, ser. ACSAC 2011, pp. 403\u2013412 (2011)","DOI":"10.1145\/2076732.2076790"},{"key":"8_CR35","unstructured":"Kruegel, C.: Evasive malware exposed and deconstructed (2015). \n                      https:\/\/www.rsaconference.com\/writable\/presentations\/file_upload\/crwd-t08-evasive-malware-exposed-and-deconstructed.pdf"},{"key":"8_CR36","doi-asserted-by":"crossref","unstructured":"Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: AccessMiner: using system-centric models for malware protection. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, ser. CCS 2010 (2010)","DOI":"10.1145\/1866307.1866353"},{"key":"8_CR37","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"338","DOI":"10.1007\/978-3-642-23644-0_18","volume-title":"Recent Advances in Intrusion Detection","author":"M Lindorfer","year":"2011","unstructured":"Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338\u2013357. Springer, Heidelberg (2011). \n                      https:\/\/doi.org\/10.1007\/978-3-642-23644-0_18"},{"key":"8_CR38","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"278","DOI":"10.1007\/978-3-319-66402-6_17","volume-title":"Computer Security \u2013 ESORICS 2017","author":"L Bordoni","year":"2017","unstructured":"Bordoni, L., Conti, M., Spolaor, R.: Mirage: toward a stealthier and modular malware analysis sandbox for android. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10492, pp. 278\u2013296. Springer, Cham (2017). \n                      https:\/\/doi.org\/10.1007\/978-3-319-66402-6_17"},{"key":"8_CR39","doi-asserted-by":"crossref","unstructured":"Maier, D., M\u00fcller, T., Protsenko, M.: Divide-and-conquer: why android malware cannot be stopped. In: Proceedings of the 9th International Conference on Availability, Reliability and Security, ser. ARES 2014 (2014)","DOI":"10.1109\/ARES.2014.12"},{"key":"8_CR40","doi-asserted-by":"crossref","unstructured":"Martignoni, L., Paleari, R., Roglia, G.F., Bruschi, D.: Testing CPU emulators. In: Proceedings of the Eighteenth International Symposium on Software Testing and Analysis, ser. ISSTA 2009, pp. 261\u2013272 (2009)","DOI":"10.1145\/1572272.1572303"},{"key":"8_CR41","doi-asserted-by":"crossref","unstructured":"Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of the 28th IEEE Symposium on Security and Privacy, ser. S&P 2007 (2007)","DOI":"10.1109\/SP.2007.17"},{"key":"8_CR42","unstructured":"Najmeh, M., Mahathi, P.A., Nick, N., Michalis, P.: Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: Proceedings of the 38th IEEE Symposium on Security and Privacy, ser. S&P 2017 (2017)"},{"key":"8_CR43","doi-asserted-by":"crossref","unstructured":"Neugschwandtner, M., Comparetti, P.M., Platzer, C.: Detecting malware\u2019s failover C&C strategies with squeeze. In: Proceedings of the 27th Annual Computer Security Applications Conference, ser. ACSAC 2011 (2011)","DOI":"10.1145\/2076732.2076736"},{"key":"8_CR44","doi-asserted-by":"crossref","unstructured":"Nikiforakis, N., Joosen, W., Livshits, B.: Privaricator: deceiving fingerprinters with little white lies. In: Proceedings of the 24th International Conference on World Wide Web, ser. WWW 2015, pp. 820\u2013830 (2015)","DOI":"10.1145\/2736277.2741090"},{"key":"8_CR45","doi-asserted-by":"crossref","unstructured":"Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A fistful of red-pills: how to automatically generate procedures to detect CPU emulators. In: Proceedings of the 3rd USENIX Conference on Offensive Technologies, ser. WOOT 2009 (2009)","DOI":"10.1145\/1572272.1572303"},{"key":"8_CR46","doi-asserted-by":"crossref","unstructured":"P\u00e9k, G., Bencs\u00e1th, B., Butty\u00e1n, L.: nEther: in-guest detection of out-of-the-guest malware analyzers. In: Proceedings of the 4th European Workshop on System Security, ser. EUROSEC 2011, pp. 3:1\u20133:6 (2011)","DOI":"10.1145\/1972551.1972554"},{"key":"8_CR47","doi-asserted-by":"crossref","unstructured":"Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Proceedings of the 7th European Workshop on System Security, ser. EUROSEC 2014 (2014)","DOI":"10.1145\/2592791.2592796"},{"key":"8_CR48","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-540-75496-1_1","volume-title":"Information Security","author":"T Raffetseder","year":"2007","unstructured":"Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 1\u201318. Springer, Heidelberg (2007). \n                      https:\/\/doi.org\/10.1007\/978-3-540-75496-1_1"},{"key":"8_CR49","doi-asserted-by":"crossref","unstructured":"Rieck, K., Schwenk, G., Limmer, T., Holz, T., Laskov, P.: Botzilla: detecting the phoning home of malicious software. In: Proceedings of the 2010 ACM Symposium on Applied Computing, ser. SAC 2010, pp. 1978\u20131984 (2010)","DOI":"10.1145\/1774088.1774506"},{"issue":"4","key":"8_CR50","doi-asserted-by":"publisher","first-page":"639","DOI":"10.3233\/JCS-2010-0410","volume":"19","author":"K Rieck","year":"2011","unstructured":"Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behavior using machine learning. J. Comput. Sec. 19(4), 639\u2013668 (2011)","journal-title":"J. Comput. Sec."},{"key":"8_CR51","doi-asserted-by":"crossref","unstructured":"Rossow, C., Dietrich, C.J., Bos, H.: Large-scale analysis of malware downloaders. In: Proceedings of the 9th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, ser. DIMVA 2012 (2012)","DOI":"10.1007\/978-3-642-37300-8_3"},{"key":"8_CR52","unstructured":"Rutkowska, J.: Red pill... or how to detect VMM using (almost) one CPU instruction (2004). \n                      http:\/\/www.securiteam.com\/securityreviews\/6Z00H20BQS.html"},{"key":"8_CR53","unstructured":"Shinotsuka, H.: Malware authors using new techniques to evade automated threat analysis systems (2012). \n                      http:\/\/www.symantec.com\/connect\/blogs\/malware-authors-using-new-techniques-evade-automated-threat-analysis-systems"},{"key":"8_CR54","unstructured":"Simone, M., Yanick, F., Antonio, B., Luca, I., Jacopo, C., Dhilung, K., Christopher, K., Giovanni, V.: Baredroid: large-scale analysis of android apps on real devices. In: Proceedings of the 31st Annual Computer Security Applications Conference, ser. ACSAC 2015 (2015)"},{"key":"8_CR55","unstructured":"Singh A., Khalid, Y.: Don\u2019t click the left mouse button: introducing trojan upclicker (2012). \n                      https:\/\/www.fireeye.com\/blog\/threat-research\/2012\/12\/dont-click-the-left-mouse-button-trojan-upclicker.html"},{"key":"8_CR56","unstructured":"Singh, A., Bu, Z.: Hot knives through butter: evading file-based sandboxes (2013). \n                      https:\/\/media.blackhat.com\/us-13\/US-13-Singh-Hot-Knives-Through-Butter-Evading-File-based-Sandboxes-WP.pdf"},{"key":"8_CR57","doi-asserted-by":"crossref","unstructured":"Sun, M.K., Lin, M.J., Chang, M., Laih, C.S., Lin, H.T.: Malware virtualization-resistant behavior detection. In: Proceedings of the 17th IEEE International Conference on Parallel and Distributed Systems, ser. ICPADS 2011, pp. 912\u2013917 (2011)","DOI":"10.1109\/ICPADS.2011.78"},{"key":"8_CR58","doi-asserted-by":"crossref","unstructured":"Vasudevan, A., Yerraballi, R.: Cobra: fine-grained malware analysis using stealth localized-executions. In: Proceedings of the 27th IEEE Symposium on Security and Privacy, ser. S&P\u201906, pp. 264\u2013279 (2006)","DOI":"10.1109\/SP.2006.9"},{"key":"8_CR59","doi-asserted-by":"crossref","unstructured":"Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, ser. ASIA CCS 2014 (2014)","DOI":"10.1145\/2590296.2590325"},{"key":"8_CR60","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"165","DOI":"10.1007\/978-3-319-45719-2_8","volume-title":"Research in Attacks, Intrusions, and Defenses","author":"A Yokoyama","year":"2016","unstructured":"Yokoyama, A., et al.: SandPrint: fingerprinting malware sandboxes to provide intelligence for sandbox evasion. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 165\u2013187. Springer, Cham (2016). \n                      https:\/\/doi.org\/10.1007\/978-3-319-45719-2_8"},{"issue":"3","key":"8_CR61","first-page":"1144","volume":"52","author":"K Yoshioka","year":"2011","unstructured":"Yoshioka, K., Hosobuchi, Y., Orii, T., Matsumoto, T.: Your sandbox is blinded : Impact of decoy injection to public malware analysis systems. J. Inf. Process. 52(3), 1144\u20131159 (2011)","journal-title":"J. Inf. Process."}],"container-title":["Lecture Notes in Computer Science","Detection of Intrusions and Malware, and Vulnerability Assessment"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-93411-2_8","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,3,3]],"date-time":"2020-03-03T03:20:41Z","timestamp":1583205641000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-93411-2_8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018]]},"ISBN":["9783319934105","9783319934112"],"references-count":61,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-93411-2_8","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2018]]},"assertion":[{"value":"8 June 2018","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"DIMVA","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Saclay","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"France","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2018","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"28 June 2018","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"29 June 2018","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"15","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"dimva2018","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/www.dimva2018.org\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}