Malware, as the centerpiece of threats to the Internet, has increased exponentially. To handle the large volume of malware samples collected each day, numerous automated malware analysis techniques have been developed. In response, malware authors have made analysis environment detections increasingly popular and commoditized. In turn, security practitioners have created systems that make an analysis environment appear like a normal system (e.g., baremetal malware analysis). Thus far, neither side has claimed a definitive advantage.
In this presentation, we demonstrate techniques that, if widely adopted by the criminal underground, would permanently disadvantage automated malware analysis by making it ineffective and unscalable. To do so, we turn the problem of analysis environment detection on its head. That is, instead of trying to design techniques that detect specific analysis environments, we instead propose malware that will fail to execute correctly on any environment other than the one originally infected.
To achieve this goal, we developed two obfuscation techniques that make the successful execution of a malware sample dependent on the unique properties of the original infected host. To reinforce the potential for malware authors to leverage this type of analysis resistance, we discuss the Flashback botnet's use of a similar technique to prevent the automated analysis of its samples.