AVLeak : profiling commercial anti-virus emulators through black box testing
Loading...
Authors
Bulazel, Alexei
Issue Date
2015-05
Type
Electronic thesis
Thesis
Thesis
Language
ENG
Keywords
Computer science
Alternative Title
Abstract
Consumer AV emulators are incredibly vulnerable to detection attacks, but discovering artifacts that can be exploited for detection can be a time-consuming process. Researchers can either spend significant time reverse engineering emulator code, look for artifacts in process memory dumps, or inject "decoy" malware into emulator engines. With decoy malware injection, a program is created that tests some condition of the emulator (ie: will it let a program allocate 500 MB of memory, will it let a program load a given DLL, does it return the right value for a given obscure API call) and either unpacks or does not unpack malware as a result. By checking if malware was detected, researchers are able to leak some information about the internal state of the emulator. Unfortunately, this process can be slow, and often only provides negative results that can be used for detection (ie: API call X is not correctly emulated, DLL X cannot be loaded).
Description
May 2015
School of Science
School of Science
Full Citation
Publisher
Rensselaer Polytechnic Institute, Troy, NY