원문정보
초록
영어
In order to be a long time alive, modern malware often make anti-emulation check after launched for evading dynamic analysis. Malware authors gain fingerprint information of target environment through several API to detect whether their creations are running in monitored state or not. If an emulated analysis environment is detected, the malware will change its running to avoid malicious behavior exposing. The existing approaches are based on trace matching with a intuition that, given the same inputs, the execution of a program should be the same in simulated analysis environment and on a real hardware reference system. However those approaches are too fine-grained to be inefficient. In this paper we propose an approach to deal with anti-emulation using instruction traces and dynamic slicing. With a difference from trace matching solutions presented in existing references, our approach is performed on one instruction trace derived from our dynamic analysis platform. We evaluate our approach with 189 malware samples collected in the wild. The experience shows that our proposed approach can spot efAPI used for anti-emulation check in an efficient way.
목차
1. Introduction
2. Problem Statement
3. A Slicing-based Approach to eliminate Anti-emulation Checks
3.1. The Instruction Tracer
3.2. Execution Pattern Inspection
3.3. Dynamic Backward Slicing Algorithm
3.4. Building and Applying DSM
4. Experiment
5. Discussion
6. Related Work
7. Conclusion
Acknowledgements
References