Here’s where you’ll find our exclusive video coverage of select cyber security related events, as well as original productions from our CyberWire team.
Alexei Bulazel - Detecting & Evading Automated Malware Analysis
Automated dynamic malware analysis systems, aka "malware sandboxes", are an important tool on the front lines of defense against modern malware. Unfortunately for defenders, these systems can be easily detected and evaded by malware.
In this presentation we'll take a comprehensive look at the design of automated dynamic malware analysis systems as used in industry, academia, and consumer antivirus software. We'll then survey actual offensive detection and evasion techniques as observed in the wild and proposed in academic literature and security conference presentations.
After introducing anti-analysis, we'll focus in on the seldom discussed emulators used by consumer antivirus software to analyze unknown binaries. While these emulators are installed on hundreds of millions of antivirus-protected computers worldwide, their design and internals have rarely been discussed publicly in conference talks or papers. We'll discuss AVLeak, a tool developed to help offensive researchers discover antivirus emulator "fingerprints" that can be used to detect and evade them. We'll demo the tool live and show real world fingerprints that can be used to detect and evade popular consumer AVs including Kaspersky, Bitdefender engine (licensed out to 20+ other AV products), AVG, and VBA.
We'll conclude by discussing future directions for research in anti-analysis - both offensive and defensive; and try to address some of the inherent weaknesses in automated analysis systems that make them so easy for attackers to evade despite defensive innovation.
Alexei Bulazel is an NYC and DC-based security researcher. A recent graduate of Rensselaer Polytechnic Institute (RPI), Alexei worked under Dr. Bülent Yener on developing anti-emulation techniques for malware. He has previously presented his research at venues such as Black Hat, ShmooCon, and the USENIX Workshop on Offensive Technologies, among others. Alexei's research interests include Windows kernel / rookit development, reverse engineering, and exploitation; anti-emulation and anti-virtualization; and reverse engineering antivirus software.
Presented at the Jailbreak Security Summit, April 28, 2017, Laurel, Maryland, USA.
(Source: Jailbreak Brewing Company)