25th USENIX Security Symposium has ended
Back To Schedule
Monday, August 8 • 4:00pm - 4:30pm
AVLeak: Fingerprinting Antivirus Emulators through Black-Box Testing

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

To fight the ever-increasing proliferation of novel malware, antivirus (AV) vendors have turned to emulationbased automated dynamic malware analysis. Malware authors have responded by creating malware that attempts to evade detection by behaving benignly while being running in an emulator. Malware may detect emulation by looking for emulator “fingerprints” such as unique environmental values, timing inconsistencies, or bugs in CPU emulation.

Due to their immense complexity and the expert knowledge required to effectively analyze them, reverseengineering AV emulators to discover fingerprints is an extremely challenging task. As an alternative, researchers have demonstrated fingerprinting attacks using simple black-box testing, but these techniques are slow, inefficient, and generally awkward to use.

We propose a novel black-box technique to efficiently extract emulator fingerprints without reverseengineering. To demonstrate our technique, we implemented an easy-to-use tool and API called AVLeak. We present an evaluation of AVLeak against several current consumer AVs and show emulator fingerprints derived from our experimentation. We also propose a classification of fingerprints as they apply to consumer AV emulators. Finally, we discuss the defensive implications of our work, and future directions of research in emulator evasion and exploitation.

Monday August 8, 2016 4:00pm - 4:30pm PDT
Texas Ballroom 1

Attendees (4)