Freeze Drying for Capturing Environment-Sensitive Malware Alive

Presented at Black Hat Europe 2014, Oct. 17, 2014, 5 p.m. (60 minutes).

We propose a set of techniques for "freeze drying" malware and restoring the captured malware to enable live process migration. Our system can capture environment-sensitive malware in-process and run it in an environment other than the infected host.

Sophisticated malware, such as Citadel and ZeuS/GameOver, are armed with anti-analysis techniques to prevent running except on an infected host. These malwares detect the execution environment and do not engage in malicious behavior when the current host differs from the infected host.

We developed a malware capture system called Sweetspot that can capture malware in-process by using process live migration and mimicking the infected host's environment on the analyzer by means of system call proxies. In addition, Sweetspot can serve as a honeypot and provide dummy data when the malware requests sensitive information. In briefings, we will demonstrate freeze-drying and instant dynamic analysis of real malware.


Presenters:

  • Yosuke Chubachi - FFRI, Inc.
    Yosuke Chubachi is a security engineer at FFRI, Inc. since this spring. He studied at the graduate school of information system engineering, University of Tsukuba. His research interests are in operating system and virtual machine monitoring. Particular interests include access control and intrusion prevention systems. He is a Security Camp lecturer (national information security human resource development program ) since 2011 and member of executive committee of SECCON (SECurity CONtest, the largest CTF organizer in Japan) since 2012.

Links:

Similar Presentations: