Emulating Emulation-Resistant Malware

Min Gyung Kang, Heng Yin, Steve Hanna, Stephen McCamant and Dawn Song

EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2009-58
May 5, 2009

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-58.pdf

The authors of malware attempt to frustrate reverse engineering and analysis by creating programs that crash or otherwise behave differently when executed on an emulated platform than when executed on real hardware. In order to defeat such techniques and facilitate automatic and semi-automatic dynamic analysis of malware, we propose an automated technique to dynamically modify the execution of a whole-system emulator to fool a malware sample's anti-emulation checks. Our approach uses a scalable trace matching algorithm to locate the point where emulated execution diverges, and then compares the states of the reference system and the emulator to create a dynamic state modification that repairs the difference. We evaluate our technique by building an implementation into an emulator used for in-depth malware analysis. On case studies that include real samples of malware collected in the wild and an attack that has not yet been exploited, our tool automatically ameliorates the malware sample's anti-emulation checks to enable analysis, and its modifications are robust to system changes.


BibTeX citation:

@techreport{Kang:EECS-2009-58,
    Author = {Kang, Min Gyung and Yin, Heng and Hanna, Steve and McCamant, Stephen and Song, Dawn},
    Title = {Emulating Emulation-Resistant Malware},
    Institution = {EECS Department, University of California, Berkeley},
    Year = {2009},
    Month = {May},
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-58.html},
    Number = {UCB/EECS-2009-58},
    Abstract = {The authors of malware attempt to frustrate reverse engineering and analysis by creating programs that crash or otherwise behave differently when executed on an emulated platform than when executed on real hardware. In order to defeat such techniques and facilitate automatic and semi-automatic dynamic analysis of malware, we propose an automated technique to dynamically modify the execution of a whole-system emulator to fool a malware sample's anti-emulation checks. Our approach uses a scalable trace matching algorithm to locate the point where emulated execution diverges, and then compares the states of the reference system and the emulator to create a dynamic state modification that repairs the difference.  We evaluate our technique by building an implementation into an emulator used for in-depth malware analysis.  On case studies that include real samples of malware collected in the wild and an attack that has not yet been exploited, our tool automatically ameliorates the malware sample's anti-emulation checks to enable analysis, and its modifications are robust to system changes.}
}

EndNote citation:

%0 Report
%A Kang, Min Gyung
%A Yin, Heng
%A Hanna, Steve
%A McCamant, Stephen
%A Song, Dawn
%T Emulating Emulation-Resistant Malware
%I EECS Department, University of California, Berkeley
%D 2009
%8 May 5
%@ UCB/EECS-2009-58
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-58.html
%F Kang:EECS-2009-58