Hiding Pin's Artifacts to Defeat Evasive Malware

Presented at Black Hat Europe 2017, Dec. 6, 2017, 2:15 p.m. (60 minutes)

Malware authors constantly develop new techniques in order to evade analysis systems. Previous works addressed attempts to evade analysis by means of anti-sandboxing and anti-virtualization techniques, for example proposing to run samples on bare-metal. However, state-of-the-art bare-metal tools fail to provide richness and completeness in the results of the analysis. In this context, Dynamic Binary Instrumentation (DBI) tools have become popular in the analysis of new malware samples because of the deep control they guarantee over the instrumented binary. In fact, in some specific scenarios (e.g., manual and automated reverse engineering) we need to fully monitor and control the analyzed binary.

As a consequence, malware authors developed new techniques, called anti-instrumentation, aimed at detecting if a sample is being instrumented. Such techniques look at the artifacts produced during the instrumentation process and leverage some intrinsic characteristics of a DBI tool.

We propose a practical approach to make DBI tools stealthier and resilient against anti-instrumentation attacks. We studied the common techniques used by malware to detect the presence of a DBI tool, and we proposed a set of countermeasures to defeat them. We implemented our approach in Arancino, on top of the Intel Pin framework. Arancino is able to hide Pin's artifacts making hard for malware to spot its presence. In order to achieve this, we leverage the power of DBI tools to fully control the execution flow of the instrumented process. This allows us to detect and dismantle possible evasion attempts. We tested our system against eXait, a tool containing a set of plugins that aim at detecting when a program is instrumented by Intel Pin, showing that Arancino is able to hide Intel Pin, allowing the analysis of evasive binaries.

Armed with Arancino, we then performed a large-scale measurement of the anti-instrumentation techniques employed by modern malware. We collected and analyzed 7,006 malware samples, monitoring the evasive behaviors that triggered our system, hence studying the common techniques adopted by modern malware authors to perform evasion of instrumentation systems.


  • Stefano Zanero - Associate Professor, Politecnico di Milano
    Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently an associate professor with the Dipartimento di Elettronica, Informazione e Bioingegneria. His research focuses on malware analysis, cyberphysical security, and cybersecurity in general. Besides teaching "Computer Security" and "Computer Forensics" at Politecnico, he has an extensive speaking and training experience in Italy and abroad. He co-authored over 70 scientific papers and books. He is a Senior Member of the IEEE (for which he sits on the MGA board), the IEEE Computer Society (for which he is a member of the Board of Governors), and a lifetime senior member of the ACM. Stefano co-founded the Italian chapter of ISSA (Information System Security Association). He has been named a Fellow of ISSA and sits in its International Board of Directors. Stefano is also a co-founder and chairman of Secure Network, a leading information security consulting firm based in Milan and in London; a co-founder of 18Months, a cloud-based ticketing solutions provider; and a co-founder of BankSealer, a startup in the FinTech sector that addresses fraud detection through machine learning techniques.
  • Stefano D'Alessio -  , Politecnico di Milano
    Stefano D'Alessio is a junior engineer from Politecnico di Milano. He has always been interested in computer security and all its branches. Now he is focusing on bank security, especially penetration testing and security related to databases.
  • Sebastiano Mariani - PhD Student, Politecnico di Milano
    Sebastiano Mariani is starting as PhD student at University of California Santa Barbara later this year. He is passionate about computer security in all its aspect from penetration testing to malware and binary analysis (his current area of study). He also enjoy competing in various Capture The Flag (CTF) competitions as member of the Shellphish team.
  • Mario Polino - Post-Doctoral Researcher, Politecnico di Milano
    Mario Polino recently received his Ph.D. from Politecnico di Milano in Italy, working at NECST laboratory as part of the Computer Security group inside Dipartimento di Elettronica, Informazione e Bioingegneria (DEIB). His main research revolve around malware analysis with a specific attention on behavioral analysis to assist malware analysts. He is interested in various computer security topics, and has worked on several topics ranging from cyber-physical systems to static binary analysis, going through Bank Fraud Analysis and Android Security. He loves playing Capture the Flag competitions, so he spend his free time playing with Politecnico's team, Tower of Hanoi.
  • Lorenzo Fontana - Dott., Politecnico di Milano
    Fontana Lorenzo is a Computer Science student at the Politecnico of Milan. He has always been interested in computer security and is an active participant of bug bounty programs like the Google VRP and Microsoft. His current area of study is malware analysis - in particular how it is possible to leverage DBI framework to solve the challenges of this field.
  • Fabio Gritti - Junior computer security engineer, Politecnico di Milano
    Fabio Gritti is a junior computer security engineer passionate about binary analysis and malware analysis. He enjoys developing tools in order to help analysis of programs and love participating in CTF and wargames.
  • Andrea Continella - PhD Student, Politecnico di Milano
    Andrea Continella is a PhD student in Computer Science and Engineering at Dipartimento di Elettronica, Informazione e Bioingegneria (DEIB) Politecnico di Milano in Italy, working at the NECST Laboratory. His research activity is mainly focused on computer security and in particular on threat analysis. Andrea has been working on analysis and defense mechanisms against advanced malware, including for example the current generation of trojan horses, or the infamous ransomware families. During his PhD, he spent six months at UC Santa Barbara working at the SecLab on detection of obfuscated privacy leaks in Android applications. He also loves Capture The Flag (CTF) competitions, which he usually plays with Tower of Hanoi and sometimes with Shellphish, the Politecnico di Milano and UCSB hacking teams.


Similar Presentations: