Malware, as the centerpiece of threats to the Internet, has increased exponentially. To handle the large volume of malware samples collected each day, numerous automated malware analysis techniques have been developed. In response, malware authors have made analysis environment detections increasingly popular and commoditized. In turn, security practitioners have created systems that make an analysis environment appear like a normal system (e.g., baremetal malware analysis). Thus far, neither side has claimed a definitive advantage.
In this presentation, we demonstrate techniques that, if widely adopted by the criminal underground, would permanently disadvantage automated malware analysis by making it ineffective and unscalable. To do so, we turn the problem of analysis environment detection on its head. That is, instead of trying to design techniques that detect specific analysis environments, we instead propose malware that will fail to execute correctly on any environment other than the one originally infected.
To achieve this goal, we developed two obfuscation techniques that make the successful execution of a malware sample dependent on the unique properties of the original infected host. To reinforce the potential for malware authors to leverage this type of analysis resistance, we discuss the Flashback botnet's use of a similar technique to prevent the automated analysis of its samples.
Chengyu Song is a PhD student at Georgia Institute of Technology. His current research interest is in system security, with a special focus on topics that may have practical impact. Prior to Georgia Tech, Chengyu received his Bachelor's and Master's degree at Peking University China, where he worked with other researchers on malware analysis, botnet, underground economy and drive-by download attacks. He is also a member of the Honeynet Project.
Paul Royal is a Research Scientist at the Georgia Institute of Technology, where he engages in collaborative research on various facets of the online criminal ecosystem. Prior to Georgia Tech, Royal served as Principal Researcher at Purewire, Inc, where he worked with other researchers to identify threats and design methods that enhanced the company's web security service. Royal often focuses on research topics interesting to both academics and industry practitioners, with previous work presented at Black Hat USA that subsequently appeared in ACM CCS.