Kaspersky Lab has patented a system which helps to prevent malware from detecting emulation during antivirus analysis.
Patent 8555386, issued by the US Patent and Trademark Office, describes methods of improving the emulator in such a way as to make its work indistinguishable from the operating system’s normal operation to the malicious program being analysed.
Developers of security solutions use emulation to find out whether programs are malicious without the risk of infecting the computer. This involves running the file being analysed in an isolated virtualised environment which uses software tools to emulate the operation of hardware and the operating system.
In this mode, the security solution can analyse the operations performed by the program in question and detect malicious code.
Cybercriminals use a variety of techniques to block or hamper analysis of their malware in virtualised environments.
Many of these techniques are based on specific emulator implementation issues: emulators typically reproduce the operation system’s functionality only to some extent. This simplification helps to improve performance and save resources, but at the same time it makes the security system vulnerable to various anti-emulation techniques.
Cybercriminals can design their malware to check whether it is running under an emulator. If emulation is detected, the malware can stop any malicious activity, improving its chances of evading detection by the security solution.
One anti-emulation technique works as follows: the malware calls a system function, which in turn calls several other, intermediate functions. When the program is executed in an emulator, only some of the calls in this chain are reproduced. The anti-emulation technique is based on detecting the absence of function calls which would be present in a real operating system.
The system patented by Kaspersky Lab does not behave in the same way as conventional emulators: it reproduces in sequence all the function calls, including the operating system’s kernel functions that perform such operations as file reading and writing. Up to a certain point, the system’s operation is identical to that of a real OS, which renders most anti-emulation techniques used by malware writers ineffective.
As a result, the malware regards the environment in which it is running as being real rather than virtualised and therefore launches its malicious activity. This enables anti-malware technologies to detect and block the threat.
“The idea on which the technology is based involves ‘persuading’ the malware that it is running on a real system. As a result, it has no reason to hide its malicious functionality. This technology will bring the quality of detection provided by our security solutions to a new level,” says Sergey Belov, principal security researcher at Kaspersky Lab and the inventor of the newly-patented technology.
The technology has already proved its effectiveness in internal testing conducted by the company. In future, it will be implemented in Kaspersky Lab products for home and corporate users.