Emulating emulation-resistant malware

Min Gyung Kang, Heng Yin, Steve Hanna, Stephen McCamant, Dawn Song

Research output: Chapter in Book/Report/Conference proceedingConference contribution

49 Scopus citations

Abstract

The authors of malware attempt to frustrate reverse engineering and analysis by creating programs that crash or otherwise behave differently when executed on an emulated platform than when executed on real hardware. In order to defeat such techniques and facilitate automatic and semi-automatic dynamic analysis of malware, we propose an automated technique to dynamically modify the execution of a whole-system emulator to fool a malware sample's anti-emulation checks. Our approach uses a scalable trace matching algorithm to locate the point where emulated execution diverges, and then compares the states of the reference system and the emulator to create a dynamic state modification that repairs the difference. We evaluate our technique by building an implementation into an emulator used for in-depth malware analysis. On case studies that include real samples of malware collected in the wild and an attack that has not yet been exploited, our tool automatically ameliorates the malware sample's anti-emulation checks to enable analysis, and its modifications are robust to system changes.

Original languageEnglish (US)
Title of host publicationProceedings of the 1st ACM Workshop on Virtual Machine Security, VMSec '09, Co-located with the 16th ACM Computer and Communications Security Conference, CCS'09
Pages11-22
Number of pages12
DOIs
StatePublished - Dec 1 2009
Event1st ACM Workshop on Virtual Machine Security, VMSec '09, Co-located with the 16th ACM Computer and Communications Security Conference, CCS'09 - Chicago, IL, United States
Duration: Nov 9 2009Nov 13 2009

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Other

Other1st ACM Workshop on Virtual Machine Security, VMSec '09, Co-located with the 16th ACM Computer and Communications Security Conference, CCS'09
CountryUnited States
CityChicago, IL
Period11/9/0911/13/09

    Fingerprint

Keywords

  • Dynamic analysis
  • Emulation
  • Malware analysis
  • Virtualization

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Kang, M. G., Yin, H., Hanna, S., McCamant, S., & Song, D. (2009). Emulating emulation-resistant malware. In Proceedings of the 1st ACM Workshop on Virtual Machine Security, VMSec '09, Co-located with the 16th ACM Computer and Communications Security Conference, CCS'09 (pp. 11-22). (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/1655148.1655151