You are here
AVLeak: Fingerprinting Antivirus Emulators through Black-Box Testing
Jeremy Blackthorne, Alexei Bulazel, Andrew Fasano, Patrick Biernat, and Bülent Yener, Rensselaer Polytechnic Institute
To fight the ever-increasing proliferation of novel malware, antivirus (AV) vendors have turned to emulation-based automated dynamic malware analysis. Malware authors have responded by creating malware that attempts to evade detection by behaving benignly while running in an emulator. Malware may detect emulation by looking for emulator “fingerprints” such as unique environmental values, timing inconsistencies, or bugs in CPU emulation.
Due to their immense complexity and the expert knowledge required to effectively analyze them, reverse-engineering AV emulators to discover fingerprints is an extremely challenging task. As an alternative, researchers have demonstrated fingerprinting attacks using simple black-box testing, but these techniques are slow, inefficient, and generally awkward to use.
We propose a novel black-box technique to efficiently extract emulator fingerprints without reverse-engineering. To demonstrate our technique, we implemented an easy-to-use tool and API called AVLeak. We present an evaluation of AVLeak against several current consumer AVs and show emulator fingerprints derived from our experimentation. We also propose a classification of fingerprints as they apply to consumer AV emulators. Finally, we discuss the defensive implications of our work, and future directions of research in emulator evasion and exploitation.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.