Combatting Evasive Malware - Leveraging Computer Vision to Solve the Reverse Turing Test

Today, dynamic analysis tools like sandboxes are commonly used to analyze real-world malware samples, revealing malware internals and aiding in the development of defensive measures. In order to avoid being analyzed, advanced malware families try to determine if a human is using the compromised system. In case this so called "reverse turing test" fails, the malware knows it runs in a sandbox, subsequently changing the normal behaviour.

The goal of this thesis is to set up a virtualized lab environment and use an existing computer vision framework to solve the reverse turing tests of real-world malware samples. The developed solution should be compared to other approaches with regard to performance, ease of use and success (e.g. [1]).

  • Build a lab environment (using QEMU/KVM hypervisor)
  • Obtain malware samples using the "reverse turing test"
  • Determine how "reverse turing tests" are implemented
  • Develop solutions using computer vision to solve the "reverse turing tests"
  • Compare to other approaches