Full System Emulation - Achieving Successful Automated Dynamic Analysis of Evasive Malware

Explore full system emulation techniques for successful automated dynamic analysis of evasive malware in this Black Hat conference talk. Delve into the challenges faced by forensics experts and anti-malware solutions when extracting information from malicious files. Learn about dynamic analysis (sandboxing) methods for identifying suspicious behaviors and assessing risks associated with running malware samples. Discover the evolving techniques used by attackers to evade or complicate analysis, and gain insights into designing effective dynamic analysis systems. Compare externally instrumented full-system emulation with other approaches like OS emulation and traditional virtualization. Examine real-world examples of evasion techniques, including environment triggers, stalling code, and human interaction detection. Uncover solutions enabled by full system emulation, such as detecting environment-dependent branching, circumventing detection attempts, and mitigating stalling code blocks. Gain valuable knowledge on identifying and bypassing human behavior detection attempts, enhancing your ability to analyze and combat sophisticated malware.

Intro
What are we talking about?
Evolution of Malware
What do we want to monitor?
VM Approach versus CPU Emulation
Dynamic Analysis Approaches
Our Automated Malware Analysis
Visibility Does Matter
Detecting Keyloggers
Supporting Static Analysis
Detect Runtime Environment
Detect Analysis Engine
Avoid Monitoring
What can we do about evasion?
Bypassing Triggers
Combating Evasion
Passive Mode
Active Mode
Evasion in a Broader Context
Conclusions