Digital Rights Management for Malicious Software presented at Infiltrate 2014

by Paul Royal,

Summary : To process and extract intelligence from large volumes of suspect executables collected in networks each day, numerous automated malware analysis systems (now represented by various threat detection appliances and multi-billion dollar companies) have been created. In an effort to avoid detection and increase time on target, malware authors have designed, developed and commoditized analysis environment detections. In response, researchers and practitioners have sought to make an analysis environment look like a normal system (e.g., via baremetal malware analysis). Such responses often enable a successful automated analysis because the instrumentation and virtual machine-detection techniques employed by malware represents a model that is fundamentally brittle and hence easily defeated.
In this presentation I introduce techniques that, if widely adopted by malware authors, would permanently disadvantage automated analysis systems. To do so, I explore the ramifications of inverting the canonical approach to preventing a sample's execution in an analysis environment. That is, instead of examining techniques that detect specific malware analysis sandboxes or virtualization containers, I consider malicious software that will fail to execute correctly on any environment other than the originally compromised system.
To better understand the details of "digital rights management" for malicious software, I present a design of anti-analysis techniques that make the successful execution of a malware sample dependent on the unique properties that identify the originally infected host. To highlight the relevance of this idea's application by malware authors, I discuss both common and targeted malware instances' (e.g., Flashback, Gauss) use of conceptually similar techniques to prevent automated analysis of their samples.