SLIME: AUTOMATED ANTI-SANDBOXING DISARMAMENT SYSTEM presented at BlackHatAsia 2015

by Kenji Aiko, Yosuke Chubachi,

Summary : Recently, a malware is constantly growing which forces malware analysts into hard work. An automated malware analysis can help security engineers, but some malware cannot be run in a sandbox environment. For example, sophisticated malware such as the Citadel and Zeus/GameOver are armed with anti-sandbox techniques to prevent running except on an infected host. These malware detect the execution environment and do not engage in malicious behavior when the current host differs from the infected host. In this presentation, we present an automatically disarmament system for armed malware with anti-sandboxing. The system targets 1) Host-fingerprinting malware like citadel, 2) armed malware with general anti-sandboxing for automated sandbox analyzer. Disarmament approach focuses on exit reasons and exit before activity in malware execution. We developed CPU emulator-based disarmament system with instrumentation. The system suggests a suitable environment for dynamic analysis for individual malware. We will provide statistics of evasive malware in the real world. We will report the result of analysis of large-scale samples.