Extra Loops/Time Locks

From ema
Revision as of 12:32, 14 September 2017 by Ikirillov (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
EMA ID: ema-1275
Description: Extra loops may be added to make time-constraint emulators give up.
Associated Behavior: emulator prevention

Supporting Details:
Emulators can only run for a finite amount of time in order to determine whether a file is malicious or not, especially if they are running within security products on customers machines, thus they must have a cut off time for their emulation of a file. A good example of this is to set a long repetitive loop and include instructions within this loop that are used later in the code. Some emulators will give up early, whereas others may skip over the loop and miss these instructions.

Date Malware Family URL
March 1, 2013 https://www.ma.rhul.ac.uk/static/techrep/2015/RHUL-MA-2015-10.pdf