Blackhat 2012 EUROPE - Entrapment: Tricking Malware with Transparent, Scalable Malware Analysisby Paul Royal

The detection of malware analysis environments has become popular and commoditized. Detection techniques previously reserved for more sophisticated forms of malware are now available to any novice cyber criminal. The use of next-generation virtualization-based malware analysis technologies considerably reduces the number of possible transparency shortcomings, but still fails to handle pathologically resistant malware instances that will only run on physical hardware.

Thus far, the execution of malware on physical (or baremetal) hardware has been useful for one or a handful of malware samples of interest. However, this activity was manually driven and time intensive (e.g., infect, study, format, reinstall). This presentation will resolve these long-outstanding shortcomings by describing the design and implementation of a scalable, automated baremetal malware analysis system, which can be constructed using inexpensive commodity hardware and freely available technologies. To motivate the approach’s need, previously unpublished detection attacks for popular environments used to automate malware analysis (i.e., VMWare, QEMU) will be shown.

Other resources:

Published 15 February 2015