Nytro Posted September 2, 2013 Report Share Posted September 2, 2013 Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-VM TechnologiesRodrigo Rubira Branco, Gabriel Negreira Barbosa, Pedro Drimel Neto{rbranco,gbarbosa,pdrimel} *NOSPAM* qualys.comQualys – Vulnerability & Malware Research Labs (VMRL)Version 1.01 UPXUPXV200V290MarkusOberhumerLaszloMolnarJohnReiserAnti-VM (SLDT)Anti-VM (IN)Push Pop MathInstruction CountingPEB NtGlobalFlagPEB's BeingDebugged (StealthIsDebuggerPresent)UPXv20MarkusLaszloReiserAnti-VM (SLDT)Anti-VM (IN)Push Pop MathInstruction CountingPEB's BeingDebugged (StealthIsDebuggerPresent)SS registerUPX290LZMAMarkusOberhumerLaszloMolnarJohnReiserAnti-VM (IN)Push Pop MathInstruction CountingPEB's BeingDebugged (StealthIsDebuggerPresent)SS registerUPX20030XMarkusOberhumerLaszloMolnarJohnReiserAnti-VM (IN)Push Pop MathInstruction CountingPEB's BeingDebugged (StealthIsDebuggerPresent)UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiserAnti-VM (IN)Instruction CountingPEB NtGlobalFlagPEB's BeingDebugged (StealthIsDebuggerPresent)UPXProtectorv10x2Nothing2 ArmadilloArmadillov171Instruction CountingInstruction Substitution (push – ret)Armadillov1xxv2xxNothing3 PECompactAnti-VM (STR)Anti-VM (SLDT)Anti-VM (IN)Push Pop MathPEB NtGlobalFlagPEB's BeingDebugged (StealthIsDebuggerPresent)SoftICE – Interrupt 1Software Breakpoint DetectionSS register4 BobSoftMiniDelphiBoBBobSoftAnti-VM (STR)Anti-VM (SLDT)Anti-VM (IN)Push Pop MathPEB's BeingDebugged (StealthIsDebuggerPresent)SoftICE – Interrupt 1SS register5 ASPackASPackv212AlexeySolodovnikovASProtectV2XDLLAlexeySolodoAnti-VM (IN)PEB's BeingDebugged (StealthIsDebuggerPresent)SS registerASPackv10803AlexeySolodovnikovAnti-VM (IN)PEB's BeingDebugged (StealthIsDebuggerPresent)ASPackv21AlexeySolodovnikovPEB's BeingDebugged (StealthIsDebuggerPresent)SS register6 ProtectSharewareV11eCompservCMSAnti-VM (SLDT)Anti-VM (IN)Instruction CountingPEB's BeingDebugged (StealthIsDebuggerPresent)Instruction Substitution (push – ret)7ASProtect13321RegisteredAlexeySolodovnikov ASProtectv12Anti-VM (STR)Anti-VM (SLDT)Anti-VM (IN)Push Pop MathPEB's BeingDebugged (StealthIsDebuggerPresent)SoftICE – Interrupt 1Software Breakpoint DetectionSS register8 WiseInstallerStubNothing9 MaskPEV20yzkzeroAnti-VM (SLDT)Anti-VM (IN)Push Pop MathPEB's BeingDebugged (StealthIsDebuggerPresent)SS registerTable 1 – Packers Anti-Reverse EngineeringAbstractMalware is widely acknowledged as a growing threat with hundreds of thousands of new samplesreported each week. Analysis of these malware samples has to deal with this significant quantity butalso with the defensive capabilities built into malware; Malware authors use a range of evasiontechniques to harden their creations against accurate analysis. The evasion techniques aim to disruptattempts of disassembly, debugging or analyse in a virtualized environment.This talk catalogs the common evasion techniques malware authors employ, applying over 50 differentstatic detections, combined with a few dynamic ones for completeness. We validate our catalog byrunning these detections against a database of 4 million samples (the system is constantly running andthe numbers will be updated for the presentation), enabling us to present an analysis on the real state ofevasion techniques in use by malware today. The resulting data will help security companies andresearchers around the world to focus their attention on making their tools and processes more efficientto rapidly avoid the malware authors' countermeasures.This first of its kind, comprehensive catalog of countermeasures was compiled by the paper's authorsby researching each of the known techniques employed by malware, and in the process new detectionswere proposed and developed. The underlying malware sample database has an open architecture thatallows researchers not only to see the results of the analysis, but also to develop and plug-in newanalysis capabilities. The system will be made available in beta at Black Hat, with the purpose ofserving as a basis for innovative community research.Download:http://media.blackhat.com/bh-us-12/Briefings/Branco/BH_US_12_Branco_Scientific_Academic_Slides.pdfTutorialul este in scopuri educative Quote Link to comment Share on other sites More sharing options...
