emulator prevention

From ema
Jump to navigation Jump to search
EMA ID: ema-1268
Description: Defeats or prevents the execution of the malware instance in an emulator.

Examples:

  • Different Opcode Sets: Use different opcodes sets (ex: FPU, MMX, SSE) to block emulators.
  • Undocumented Opcodes: Use rare or undocumented opcodes to block non-exhaustive emulators.
  • Unusual/Undocumented API Calls: Call unusual APIs to block non-exhaustive emulators (particularly anti-virus).
  • Extra Loops/Time Locks: Add extra loops to make time-constraint emulators give up.
  • Deposited Keys: Parts of the code and/or data is encrypted or otherwise relies on data external to the file itself. For example, malware that contains code that is encrypted with a key that is downloaded from a server; malware that only runs if certain other software is installed on the system; or malware that reads certain attributes of the system (BIOS version string, hostname, etc) and then encrypts portions of its code or data using those attributes as input, thus preventing itself from being able to be run on a different system (e.g., sandbox, emulator, etc.).
  • Secure Triggers: Code and/or data is encrypted until the underlying system satisfies a preselected condition unknown to the analyst (this is a form of Deposited Keys).
  • Malloc Use: Instead of unpacking into a pre-defined section/segment (ex: .text) of the binary, uses malloc()/VirtualAlloc() to create a new segment. This makes keeping track of memory locations across different runs more difficult, as there is no guarantee that malloc/VirtualAlloc will assign the same address range each time.
  • Pipeline Misdirection: Taking advantage of pipelining in modern processors to misdirect debugging, emulation, or static analysis tools. An unpacker can assume a certain number of opcodes will be cached and then proceed to overwrite them in memory, causing a debugger/emulator/analyzer to follow different code than is normally executed.
  • Loop Escapes: Using SEH or other methods to break out of a loop instead of a conditional jump.

Associated Capabilities/Subcapabilities: Capability.png Anti-Behavioral Analysis