FULL SYSTEM EMULATION: ACHIEVING SUCCESSFUL AUTOMATED DYNAMIC ANALYSIS OF EVASIVE MALWARE presented at BlackHatUS 2014

by Christopher Kruegel,

Summary : Today, forensics experts and anti-malware solutions face a multitude of challenges when attempting to extract information from malicious files; dynamic analysis (sandboxing) is a popular method of identifying behavior associated with running or opening a given file, and provides the ability to examine the actions which that file is responsible for. Dynamic analysis technology is gaining popularity for use in detecting targeted threats and zero-day attacks, because this approach need not rely on detecting the malicious code. Instead, it can leverage the ability to identify generic "suspicious behaviors" to assess the risk inherent in running a given sample, and provide intelligence about the protocols and infrastructure attackers can use to control malicious samples.
Of course, many of the attackers have a vested interest in making it much more difficult to extract intelligence from their backdoors or implants. New techniques to evade or complicate analysis of samples are growing in popularity and diversity. With malware authors constantly evolving new techniques to hamper automated analysis, what is a researcher to do?
In the first part of our presentation, Christopher Kruegel, Co-Founder and Chief Scientist at Lastline, will talk about designing dynamic analysis systems, how one might go about building such a system, and what information one should seek to extract with a dynamic analysis platform. He will explain the advantages and limitations of externally instrumented full-system emulation, and demonstrate its value in comparison with other approaches such as OS emulation or traditional virtualization solutions which instrument from inside the analysis environment.
In the second part, Christopher will discuss and provide recent examples of several classes of evasion techniques observed in the wild, including environment triggers, stalling code, and detection of human interaction, and demonstrate the evolution of techniques over time.
In the third part, he will present a number of solutions to these challenges, each enabled by full system emulation. He will discuss how to extend a sandbox to detect environment-dependent branching, identifying or circumventing environment detection attempts, and forcing execution along each possible path, covering as much of the executable code as possible. Christopher will also present approaches to identify and mitigate stalling code blocks, dramatically reducing the overhead of analysis when this approach is sufficient, or forcing the execution to exit the costly blocks when it is not. The session will also cover methods for identifying attempts to detect human behaviors, and recipes for bypassing these detection attempts.