Automatic public malware analysis services (PMAS, e.g. VirusTotal, Jotti or ClamAV, to name a few) provide controlled, isolated and virtual environments to analyse malicious software (malware) samples. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment; when an analysis environment is detected, malware behaves as a benign application or even shows no activity. In this work, we present an empirical study and characterization of automatic PMAS, considering 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments; the lower the unlikeability of these features, the easier for us (and thus for malware) to fingerprint the analysis service they belong to. Finally, we propose a method for these analysis services to counter or at least mitigate our proposal.

中文翻译：

---

关于公共恶意软件分析服务的指纹识别

自动公共恶意软件分析服务（PMAS，例如VirusTotal，Jotti或ClamAV等）提供受控，隔离和虚拟的环境来分析恶意软件（恶意软件）样品。不幸的是，恶意软件目前正在采用多种技术来识别在虚拟或沙盒环境中的执行。当检测到分析环境时，恶意软件会表现为良性应用程序，甚至没有任何活动。在这项工作中，我们提出了对26种不同服务的自动PMAS进行的实证研究和表征。我们还展示了一组功能，这些功能可以轻松地将这些服务识别为分析环境。这些功能的相似性越低，我们（以及恶意软件）就越容易对它们所属的分析服务进行指纹识别。最后，我们为这些分析服务提出了一种方法，以应对或至少减轻我们的提议。