SLIME: Automated Anti-Sandboxing Disarmament System

Presented at Black Hat Asia 2015, Unknown date/time (Unknown duration)

Recently, a malware is constantly growing which forces malware analysts into hard work. An automated malware analysis can help security engineers, but some malware cannot be run in a sandbox environment. For example, sophisticated malware such as the Citadel and Zeus/GameOver are armed with anti-sandbox techniques to prevent running except on an infected host. These malware detect the execution environment and do not engage in malicious behavior when the current host differs from the infected host.

In this presentation, we present an automatically disarmament system for armed malware with anti-sandboxing. The system targets 1) Host-fingerprinting malware like citadel, 2) armed malware with general anti-sandboxing for automated sandbox analyzer. Disarmament approach focuses on exit reasons and exit before activity in malware execution.

We developed CPU emulator-based disarmament system with instrumentation. The system suggests a suitable environment for dynamic analysis for individual malware. We will provide statistics of evasive malware in the real world. We will report the result of analysis of large-scale samples.

Presenters:

• Kenji Aiko - FFRI, Inc.
  Kenji Aiko is a Programmer at FFRI, Inc., and is one of the developers of "FFRI yarai" which is a targeted attack protection software. He is a Security Camp lecturer and a member of the executive committee of SECCON since 2012.
• Yosuke Chubachi - FFRI, Inc.
  Yosuke Chubachi is a Security Engineer at FFRI, Inc. He studied at the Graduate School of Information System Engineering at the University of Tsukuba. His research interests are in operating systems and virtual machine monitors. Particular interests include access control and intrusion prevention system. He has been a lecturer of Security Camp (a national information security human resource development program ) since 2011 and a member of the executive committee of SECCON (SECurity CONtest, the largest CTF organizer in Japan) since 2012.

Links:

• https://www.blackhat.com/asia-15/briefings.html#Chubachi
• https://www.youtube.com/watch?v=kDhMe__v918
• https://www.blackhat.com/docs/asia-15/materials/asia-15-Chubachi-Slime-Automated-Anti-Sandboxing-Disarmament-System.pdf

Similar Presentations:

• Black Hat Europe 2014 / Freeze Drying for Capturing Environment-Sensitive Malware Alive
• Black Hat USA 2012 / Flowers for Automated Malware Analysis
• DerbyCon 3.0 All in the Family (2013) / The Malware Management Framework, a process you can use to find advanced malware. We found WinNTI with it!