Anti-emulation trends in modern packers: a survey on the evolution of anti-emulation techniques in UPA packers

Writing modern day executable packers has turned into a rather profitable business. In many cases, the reason for packing is not protecting genuine applications against piracy or plagiarism, but rather avoiding reverse-engineering and detection of malicious samples. Unlike developers, which show moderate interest for using a packer and lack time and resources for creating one, malware creators show a huge interest and are willing to spend large amounts of money to use this technology (especially if it offers protection against security solutions). This happens mainly because protecting from piracy and plagiarism isn’t that profitable as spreading new and undetected malware on as many computers as possible. Consequently, creating a custom packer designed to avoid malware detection has grown into a very profitable business.However, developing a good packer is not an easy task to accomplish. Novel techniques of achieving anti-static analysis, anti-virtual machine, anti-sandbox, anti-emulation, anti-debugging, anti-patching, and so on, have to be discovered and added regularly. From the malware creator’s perspective, this must happen frequently enough so that the updates are issued shortly after malware researchers analyze and bypass the existing mechanisms because, once these techniques are bypassed, the detection rate increases in the case of the malware samples packed with the old version of the packer.In this paper, we present our findings which resulted from closely monitoring the fight between malware researchers and packer developers during a period of almost two years. We focus on three different packers used for prevalent malware families like Upatre, Gamarue, Hedsen. We named those packers UPA 1, UPA 2, and UPA 3 and we discuss the mechanisms used in them to achieve anti-emulation. Each technique is presented by listing the code and explaining the inner workings in details. In the end, we manage to get a grasp of the current trends in achieving anti-emulation when developing modern packers.

[1]  Boris Lau,et al.  Measuring virtual machine detection in malware using DSD tracer , 2008, Journal in Computer Virology.

[2]  Peijie Yu,et al.  Anti-debugging Framework Based on Hardware Virtualization Technology , 2009, 2009 International Conference on Research Challenges in Computer Science.

[3]  Shang Gao,et al.  Debugging classification and anti-debugging strategies , 2012, Other Conferences.

[4]  Tavis Ormandy An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments Tavis , 2007 .

[5]  Christopher Krügel,et al.  Detecting System Emulators , 2007, ISC.

[6]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[7]  Peter Ferrie Attacks on More Virtual Machine Emulators , 2007 .

[8]  J. Reuben,et al.  A Survey on Virtual Machine Security , 2007 .

[9]  Christopher Krügel,et al.  Static Disassembly of Obfuscated Binaries , 2004, USENIX Security Symposium.

[10]  Xu Chen,et al.  Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[11]  Gabriel Negreira Barbosa,et al.  Scientific but Not Academical Overview of Malware Anti-Debugging , Anti-Disassembly and Anti-VM Technologies , 2012 .

[12]  Min Gyung Kang,et al.  Emulating emulation-resistant malware , 2009, VMSec '09.

[13]  Peter Ferrie Attacks on Virtual Machine Emulators , 2007 .

[14]  Miao Yu,et al.  SPAD: Software Protection Through Anti-Debugging Using Hardware-Assisted Virtualization , 2012, J. Inf. Sci. Eng..

[15]  Danny Quist Valsmith Covert Debugging Circumventing Software Armoring Techniques , 2007 .

[16]  Anoirel Issa Anti-virtual machines and emulations , 2012, Journal in Computer Virology.

[17]  John Aycock,et al.  Anti-disassembly using Cryptographic Hash Functions , 2006, Journal in Computer Virology.