Emulating emulation-resistant malware

Authors:
Min Gyung Kang;Heng Yin;Steve Hanna;Stephen McCamant;Dawn Song
Affiliations:
Carnegie Mellon University / University of California, Berkeley, Berkeley, USA;Syracuse University / Unversity of California, Berkeley, Syracuse, USA;Unversity of California, Berkeley, Berkeley, USA;Unversity of California, Berkeley, Berkeley, USA;Unversity of California, Berkeley, Berkeley, USA
Venue:
Proceedings of the 1st ACM workshop on Virtual machine security
Year:
2009

Citing 18
Cited 9

Gaze-directed volume rendering

I3D '90 Proceedings of the 1990 symposium on Interactive 3D graphics
SubVirt: Implementing malware with virtual machines

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Analysis of the Intel Pentium's ability to support a secure virtual machine monitor

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Establishing the genuinity of remote computer systems

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Understanding data lifetime via whole system simulation

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Exploring Multiple Execution Paths for Malware Analysis

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Renovo: a hidden code extractor for packed executables

Proceedings of the 2007 ACM workshop on Recurring malcode
Panorama: capturing system-wide information flow for malware detection and analysis

Proceedings of the 14th ACM conference on Computer and communications security
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction

Proceedings of the 14th ACM conference on Computer and communications security
Compatibility is not transparency: VMM detection myths and realities

HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Dynamic spyware analysis

ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
Remote detection of virtual machine monitors with fuzzy benchmarking

ACM SIGOPS Operating Systems Review
Ether: malware analysis via hardware virtualization extensions

Proceedings of the 15th ACM conference on Computer and communications security
Pointless tainting?: evaluating the practicality of pointer tainting

Proceedings of the 4th ACM European conference on Computer systems
Testing CPU emulators

Proceedings of the eighteenth international symposium on Software testing and analysis
Automatic Reverse Engineering of Malware Emulators

SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
A hardware-based memory acquisition procedure for digital investigations

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Detecting system emulators

ISC'07 Proceedings of the 10th international conference on Information Security

Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution

ACM Transactions on Information and System Security (TISSEC)
The power of procrastination: detection and mitigation of execution-stalling malicious code

Proceedings of the 18th ACM conference on Computer and communications security
Detecting malware's failover C&C strategies with squeeze

Proceedings of the 27th Annual Computer Security Applications Conference
V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis

VEE '12 Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments
Detecting environment-sensitive malware

RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis

Security'12 Proceedings of the 21st USENIX conference on Security symposium
Down to the bare metal: using processor features for binary analysis

Proceedings of the 28th Annual Computer Security Applications Conference
SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization

Proceedings of the 29th Annual Computer Security Applications Conference
Revolver: an automated approach to the detection of evasiveweb-based malware

SEC'13 Proceedings of the 22nd USENIX conference on Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

The authors of malware attempt to frustrate reverse engineering and analysis by creating programs that crash or otherwise behave differently when executed on an emulated platform than when executed on real hardware. In order to defeat such techniques and facilitate automatic and semi-automatic dynamic analysis of malware, we propose an automated technique to dynamically modify the execution of a whole-system emulator to fool a malware sample's anti-emulation checks. Our approach uses a scalable trace matching algorithm to locate the point where emulated execution diverges, and then compares the states of the reference system and the emulator to create a dynamic state modification that repairs the difference. We evaluate our technique by building an implementation into an emulator used for in-depth malware analysis. On case studies that include real samples of malware collected in the wild and an attack that has not yet been exploited, our tool automatically ameliorates the malware sample's anti-emulation checks to enable analysis, and its modifications are robust to system changes.