Paper: Multiprocess Malware


M. Ramilli, M. Bishop, and S. Sun, “Multiprocess Malware,” Proceedings of the 6th International Conference on Malicious and Unwanted Software pp. 8–13 (Oct. 2011).



Malware behavior detectors observe the behavior of suspected malware by emulating its execution or executing it in a sandbox or other restrictive, instrumented environment. This assumes that the process, or process family, being monitored will exhibit the targeted behavior if it contains malware. We describe a technique for evading such detection by distributing the malware over multiple processes. We then present a method for countering this technique, and present results of tests that validate our claims.

Bibliographic Information: [BibTeX] [RIS]
DOI: 10.1109/MALWARE.2011.6112320