@inproceedings{831b5afae9424f53ab9d0c54c7d065b6,
title = "Emulating emulation-resistant malware",
abstract = "The authors of malware attempt to frustrate reverse engineering and analysis by creating programs that crash or otherwise behave differently when executed on an emulated platform than when executed on real hardware. In order to defeat such techniques and facilitate automatic and semi-automatic dynamic analysis of malware, we propose an automated technique to dynamically modify the execution of a whole-system emulator to fool a malware sample's anti-emulation checks. Our approach uses a scalable trace matching algorithm to locate the point where emulated execution diverges, and then compares the states of the reference system and the emulator to create a dynamic state modification that repairs the difference. We evaluate our technique by building an implementation into an emulator used for in-depth malware analysis. On case studies that include real samples of malware collected in the wild and an attack that has not yet been exploited, our tool automatically ameliorates the malware sample's anti-emulation checks to enable analysis, and its modifications are robust to system changes.",
keywords = "Dynamic analysis, Emulation, Malware analysis, Virtualization",
author = "Kang, {Min Gyung} and Heng Yin and Steve Hanna and Stephen McCamant and Dawn Song",
year = "2009",
doi = "10.1145/1655148.1655151",
language = "English (US)",
isbn = "9781605587806",
series = "Proceedings of the ACM Conference on Computer and Communications Security",
pages = "11--22",
booktitle = "Proceedings of the 1st ACM Workshop on Virtual Machine Security, VMSec '09, Co-located with the 16th ACM Computer and Communications Security Conference, CCS'09",
note = "1st ACM Workshop on Virtual Machine Security, VMSec '09, Co-located with the 16th ACM Computer and Communications Security Conference, CCS'09 ; Conference date: 09-11-2009 Through 13-11-2009",
}