Full System Emulation Achieving Successful Automated Dynamic Analysis of Evasive Malware

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=2giK61nvdX8


Category:
Guide
Duration: 50:30
9 views
0

Today, forensics experts and anti-malware solutions face a multitude of challenges when attempting to extract information from malicious files; dynamic analysis (sandboxing) is a popular method of identifying behavior associated with running or opening a given file, and provides the ability to examine the actions which that file is responsible for. Dynamic analysis technology is gaining popularity for use in detecting targeted threats and zero-day attacks, because this approach need not rely on detecting the malicious code. Instead, it can leverage the ability to identify generic "suspicious behaviors" to assess the risk inherent in running a given sample, and provide intelligence about the protocols and infrastructure attackers can use to control malicious samples.

Of course, many of the attackers have a vested interest in making it much more difficult to extract intelligence from their backdoors or implants. New techniques to evade or complicate analysis of samples are growing in popularity and diversity. With malware authors constantly evolving new techniques to hamper automated analysis, what is a researcher to do?

In the first part of our presentation, Christopher Kruegel, Co-Founder and Chief Scientist at Lastline, will talk about designing dynamic analysis systems, how one might go about building such a system, and what information one should seek to extract with a dynamic analysis platform. He will explain the advantages and limitations of externally instrumented full-system emulation, and demonstrate its value in comparison with other approaches such as OS emulation or traditional virtualization solutions which instrument from inside the analysis environment.

In the second part, Christopher will discuss and provide recent examples of several classes of evasion techniques observed in the wild, including environment triggers, stalling code, and detection of human interaction, and demonstrate the evolution of techniques over time.

In the third part, he will present a number of solutions to these challenges, each enabled by full system emulation. He will discuss how to extend a sandbox to detect environment-dependent branching, identifying or circumventing environment detection attempts, and forcing execution along each possible path, covering as much of the executable code as possible. Christopher will also present approaches to identify and mitigate stalling code blocks, dramatically reducing the overhead of analysis when this approach is sufficient, or forcing the execution to exit the costly blocks when it is not. The session will also cover methods for identifying attempts to detect human behaviors, and recipes for bypassing these detection attempts.

PRESENTED BY
Christopher Kruegel


Black Hat - USA - 2014 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2022-01-02A Journey to Protect Points of Sale
2022-01-02Extreme Privilege Escalation on Windows 8 UEFI Systems
2022-01-02Babar ians at the Gate Data Protection at Massive Scale
2022-01-02Exposing Bootkits with BIOS Emulation
2022-01-02Attacking Mobile Broadband Modems Like a Criminal Would
2022-01-02Creating a Spider Goat Security with Intel CPU Transactional Memory Support
2022-01-02APT Attribution and DNS Profiling
2022-01-02Exploiting Unpatched iOS Vulnerabilities for Fun and Profit
2022-01-02Contemporary Automatic Program Analysis
2022-01-02Android FakeID Vulnerability Walkthrough
2022-01-02Full System Emulation Achieving Successful Automated Dynamic Analysis of Evasive Malware
2022-01-02Breaking the Security of Physical Devices by Silvio Cesare
2022-01-02A Practical Attack Against VDI Solutions
2022-01-02Bringing Software Defined Radio to the Penetration Testing Community
2022-01-02Building Safe Systems at Scale Lessons from Six Months at Yahoo
2022-01-02A Scalable, Ensemble Approach for Building and Visualizing Deep Code Sharing Networks
2022-01-02GRR Find All the Badness, Collect All the Things
2022-01-02A Survey of Remote Automotive Attack Surfaces
2022-01-02Call To Arms A Tale of the Weaknesses of Current Client Side XSS Filtering
2022-01-02Hacking the Wireless World with Software Defined Radio 2 0
2022-01-02Abuse of CPE Devices and Recommended Fixes


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
attack
digital
virus
information
hack
password
code
web
protection
network
scam
fraud
malware
secure
phishing
software
access
safety
system
firewall
communication
business
privacy
binary
account
spy
programmer
program
spyware
hacked
hacking conference
conference
learn
how to
2022
2021
cybersecurity
owned
break in
google
securing
exploit
exploitation
recon
social engineering
Christopher Kruegel
emulation
full system