When Malware Changed Its Mind: How "Split Personalities" Affect Malware Analysis and Detection

Tudor Dumitras, University of Maryland, College Park

We are presenting the first large-scale study of malware samples that change their behavior when executed on different hosts or at different times, using data from 5.6 million hosts from around the world. Researchers and practitioners have been aware of this problem for over a decade, but prior to our work the behavior variability had not been measured at scale. We demonstrate how malware with such "split personalities" may confound the current techniques for malware analysis and detection. More importantly, we illustrate the unique insights that the security industry can gain by monitoring malware behavior ethically and at scale, on real hosts.

View the full Enigma 2023 program at https://www.usenix.org/conference/eni...