Malware authors are well known to develop techniques that make their malware samples evade antiviruses' detection by defeating static analysis and signature matching procedures. As a consequence, modern antiviruses (AVs) execute them inside an emulated environment in order to roll out their malicious binary code and analyze their behavior. As in the old cat-and-mouse game, modern malware implements new techniques in order to escape from emulators. In fact, malware authors exploit emulators' weaknesses and aws, caused by the fact that correctly emulating a modern CPU architecture and the entire set of operating system APIs is a complex task and cannot be done without drastically impacting the performance. On the other hand, AVs need to be light and fast. The main goal of this work is to explore the implementation details and common aws present in the AVs emulators in order to execute the analyzed samples inside an emulated environment while performing dynamic analysis. Our goal is to test the most popular AVs, analyzing how they react to samples that deceive standard static analysis. We consider the AVs as black-box systems and we use a di erential analysis approach to extract the implementation details from the AVs emulators. We modify the analyzed samples applying di erent anti-emulation techniques and then, looking at the outcome of the analysis reports, we gure out how these techniques are managed inside the emulated environment. Exploiting this approach, we use the AV's analysis report as side channel to extract as many as possible implementation details from the emulator and to explore its aws and limits. Analyzing the most popular AVs, we obtain interesting insights that demonstrate how AVs are susceptible to such attacks and which are the common techniques used by AVs to face the limitations of an emulated environment. As main contribution of this work, we point out several implementation aws and weak points of the AVs' emulators that could be used by malware authors in order to deceive dynamic analysis. On the contrary of existing research, we focus our work on testing the critical areas of the emulators, such as the memory address space or the performance limits, that are di cult to be patched without reorganize some aspects of the emulators' architecture, such the memory layout or the quantity of allocated resources.
Gli autori di malware sono ben noti per sviluppare tecniche che fanno si che i loro malware sfuggano all'analisi degli antivirus, ingannandone l'analisi statica e le procedure di confronto delle rme. Di conseguenza, i moderni antivirus eseguono questi malware all'interno di un ambiente emulato in modo da osservarne il reale codice binario e le operazioni eseguite. Come nel gioco del gatto e del topo, i malware moderni implementano nuove tecniche per individuare gli emulatori. Infatti, gli autori di malware sfruttano i naturali punti deboli e limiti degli emulatori, poiché emulare correttamente una moderna architettura CPU e l'intero insieme di APIs di un sistema operativo è un compito complesso e non può essere portato a termine senza impattare signi cativamente sulle performance. Gli antivirus, invece, devono essere leggeri e veloci. Lo scopo principale di questo lavoro è di esplorare i dettagli implementativi e le procedure usate dagli emulatori degli antivirus per eseguire i campioni in un ambiente emulato durante la procedura di analisi dinamica. Il nostro obbiettivo è di testare gli antivirus più popolari, analizzando come vengono rilevati ed etichettati i campioni di malware che mirano ad ingannare l'analisi statica. In questo lavoro consideriamo gli antivirus come sistemi black-box e utilizziamo un approccio di analisi di erenziale per estrarre i dettagli implementativi dagli emulatori degli antivirus. Durante i nostri esperimenti, andiamo a modi- care i campioni di malware da far analizzare, applicando diverse tecniche per sfuggire all'emulazione e, analizzando il risultato del report di analisi, siamo in grado di individuare come queste tecniche sono gestite all'interno di un ambiente emulato. Sfruttando questo approccio, infatti, possiamo estrapolare diversi dettagli implementativi dagli emulatori ed esplorarne i punti deboli e i limiti, basandoci sui risultati dei report di analisi. Analizzando gli antivirus più popolari, abbiamo ottenuto interessanti risultati che dimostrano come gli antivirus siano vulnerabili a questi attacchi e quali siano le tecniche più comuni che usano per sopperire alle limitazioni di un ambiente emulato. I contributi più signi cativi del nostro lavoro è l'individuazione e segnalazione di punti deboli degli emulatori, che possono essere facilmente sfruttati dagli autori di malware per ingannare l'analisi dinamica degli antivirus. Al contrario degli altri lavori, la nostra ricerca è focalizzata sull'analisi delle aree più critiche degli emulatori, come la struttura della memoria virtuale o i limiti delle performance, poiché per migliorare e correggere eventuali falle in queste aree sarebbe necessario riorganizzare diversi aspetti architetturali degli emulatori, come il layout della memoria o la quantità di risorse allocabili.
CrAVe : a comprehensive black-box approach to analyze antiviruses' emulators
SALVIONI, FEDERICO
2016/2017
Abstract
Malware authors are well known to develop techniques that make their malware samples evade antiviruses' detection by defeating static analysis and signature matching procedures. As a consequence, modern antiviruses (AVs) execute them inside an emulated environment in order to roll out their malicious binary code and analyze their behavior. As in the old cat-and-mouse game, modern malware implements new techniques in order to escape from emulators. In fact, malware authors exploit emulators' weaknesses and aws, caused by the fact that correctly emulating a modern CPU architecture and the entire set of operating system APIs is a complex task and cannot be done without drastically impacting the performance. On the other hand, AVs need to be light and fast. The main goal of this work is to explore the implementation details and common aws present in the AVs emulators in order to execute the analyzed samples inside an emulated environment while performing dynamic analysis. Our goal is to test the most popular AVs, analyzing how they react to samples that deceive standard static analysis. We consider the AVs as black-box systems and we use a di erential analysis approach to extract the implementation details from the AVs emulators. We modify the analyzed samples applying di erent anti-emulation techniques and then, looking at the outcome of the analysis reports, we gure out how these techniques are managed inside the emulated environment. Exploiting this approach, we use the AV's analysis report as side channel to extract as many as possible implementation details from the emulator and to explore its aws and limits. Analyzing the most popular AVs, we obtain interesting insights that demonstrate how AVs are susceptible to such attacks and which are the common techniques used by AVs to face the limitations of an emulated environment. As main contribution of this work, we point out several implementation aws and weak points of the AVs' emulators that could be used by malware authors in order to deceive dynamic analysis. On the contrary of existing research, we focus our work on testing the critical areas of the emulators, such as the memory address space or the performance limits, that are di cult to be patched without reorganize some aspects of the emulators' architecture, such the memory layout or the quantity of allocated resources.| File | Dimensione | Formato | |
|---|---|---|---|
|
2017_12_Salvioni.pdf
non accessibile
Descrizione: Testo della tesi
Dimensione
885.16 kB
Formato
Adobe PDF
|
885.16 kB | Adobe PDF | Visualizza/Apri |
I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/10589/137527