Emulating Emulation-Resistant Malware
Min Gyung Kang and Heng Yin and Steve Hanna and Stephen McCamant and Dawn Song
EECS Department, University of California, Berkeley
Technical Report No. UCB/EECS-2009-58
May 5, 2009
http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-58.pdf
The authors of malware attempt to frustrate reverse engineering and analysis by creating programs that crash or otherwise behave differently when executed on an emulated platform than when executed on real hardware. In order to defeat such techniques and facilitate automatic and semi-automatic dynamic analysis of malware, we propose an automated technique to dynamically modify the execution of a whole-system emulator to fool a malware sample's anti-emulation checks. Our approach uses a scalable trace matching algorithm to locate the point where emulated execution diverges, and then compares the states of the reference system and the emulator to create a dynamic state modification that repairs the difference. We evaluate our technique by building an implementation into an emulator used for in-depth malware analysis. On case studies that include real samples of malware collected in the wild and an attack that has not yet been exploited, our tool automatically ameliorates the malware sample's anti-emulation checks to enable analysis, and its modifications are robust to system changes.
BibTeX citation:
@techreport{Kang:EECS-2009-58, Author= {Kang, Min Gyung and Yin, Heng and Hanna, Steve and McCamant, Stephen and Song, Dawn}, Title= {Emulating Emulation-Resistant Malware}, Year= {2009}, Month= {May}, Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-58.html}, Number= {UCB/EECS-2009-58}, Abstract= {The authors of malware attempt to frustrate reverse engineering and analysis by creating programs that crash or otherwise behave differently when executed on an emulated platform than when executed on real hardware. In order to defeat such techniques and facilitate automatic and semi-automatic dynamic analysis of malware, we propose an automated technique to dynamically modify the execution of a whole-system emulator to fool a malware sample's anti-emulation checks. Our approach uses a scalable trace matching algorithm to locate the point where emulated execution diverges, and then compares the states of the reference system and the emulator to create a dynamic state modification that repairs the difference. We evaluate our technique by building an implementation into an emulator used for in-depth malware analysis. On case studies that include real samples of malware collected in the wild and an attack that has not yet been exploited, our tool automatically ameliorates the malware sample's anti-emulation checks to enable analysis, and its modifications are robust to system changes.}, }
EndNote citation:
%0 Report %A Kang, Min Gyung %A Yin, Heng %A Hanna, Steve %A McCamant, Stephen %A Song, Dawn %T Emulating Emulation-Resistant Malware %I EECS Department, University of California, Berkeley %D 2009 %8 May 5 %@ UCB/EECS-2009-58 %U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-58.html %F Kang:EECS-2009-58