Malware is one of the prevalent security threats. Sandboxes and, more generally, instrumented environments play a crucial role in dynamically analysing malware samples, providing key threat intelligence results and critical information to update detection mechanisms. In this talk, we will analyse the evasive behaviours employed by malware authors to hide the malicious activity of samples and hinder security analysis.
Analysing a collection of over 45,000 Windows malware samples across 10 years, we tracked how malware authors used 92 different evasive techniques to detect and thwart instrumented environments (e.g., debuggers and virtual machines). The analysis provided us with several insights on how such techniques are discovered, increase in prevalence and then drop out of favour. Interestingly, we could match the shift in behaviour with the reaction of the security community, drawing some interesting insight into what awaits us in the near future.