AVLeak : profiling commercial anti-virus emulators through black box testing

Authors
Bulazel, Alexei
ORCID
Loading...
Thumbnail Image
Other Contributors
Yener, Bülent, 1959-
Milanova, Ana
Spooner, David
Issue Date
2015-05
Keywords
Computer science
Degree
MS
Terms of Use
This electronic version is a licensed copy owned by Rensselaer Polytechnic Institute, Troy, NY. Copyright of original work retained by author.
Full Citation
Abstract
Consumer AV emulators are incredibly vulnerable to detection attacks, but discovering artifacts that can be exploited for detection can be a time-consuming process. Researchers can either spend significant time reverse engineering emulator code, look for artifacts in process memory dumps, or inject "decoy" malware into emulator engines. With decoy malware injection, a program is created that tests some condition of the emulator (ie: will it let a program allocate 500 MB of memory, will it let a program load a given DLL, does it return the right value for a given obscure API call) and either unpacks or does not unpack malware as a result. By checking if malware was detected, researchers are able to leak some information about the internal state of the emulator. Unfortunately, this process can be slow, and often only provides negative results that can be used for detection (ie: API call X is not correctly emulated, DLL X cannot be loaded).
Description
May 2015
School of Science
Department
Dept. of Computer Science
Publisher
Rensselaer Polytechnic Institute, Troy, NY
Relationships
Rensselaer Theses and Dissertations Online Collection
Access
Restricted to current Rensselaer faculty, staff and students. Access inquiries may be directed to the Rensselaer Libraries.