Pfuzzer: Practical, Sound, and Effective Multi-path Analysis of Environment-sensitive Malware with Coverage-guided Fuzzing

Among the behaviors and tactics that malware can exhibit, environment-sensitive logic likely poses the longest-standing challenge to the analysis capabilities of automatic systems such as sandboxes. Current analysis approaches either fall short in anticipating adversarial tactics by design, or incur prohibitive costs and other roadblocks when reasoning on real-world code. As a result, manual analysis remains the primary way to identify behaviors that show only when a machine meets specific expectations of the sample.To address these issues, we present the first practical, sound, and effective solution for multi-path exploration of environment-sensitive malware. We argue how the popular coverage-guided fuzzing paradigm from software testing can effectively achieve this task, provided we can devise original design solutions (such as coverage feedback and environment mutations) tailored to the unique characteristics of malware to enable this application. Our approach not only can disarm many evasions without requiring expert knowledge, but also unveil additional activities that would not show in a baseline run due to environmental conditions unrelated to evasion.We build a manually annotated dataset of environment-sensitive malware and use it to estimate the analysis capabilities of the approach. Our Pfuzzer implementation reveals activity that the best competitor misses for 36.09% of the samples: such activity either follows evasions that deceive existing systems or comes from behaviors that show only in other "right" environments. Pfuzzer also unveils dormant evasive tactics for 70.64% of the samples that one may wrongly deem as non-evasive after a baseline run.