Im p ed in g M alw ar e A n alys is U sin g C on d ition al C.pdfVIP

Impeding Malware Analysis Using Conditional Code Obfuscation Monirul Sharif1 Andrea Lanzi2 Jonathon Giffin1 Wenke Lee1 1School of Computer Science, College of Computing, Georgia Institute of Technology, USA {msharif, giffin, wenke}@ 2 ` Dipartimento di Informatica e Comunicazione, Universita degli Studi di Milano, Italy andrew@security.dico.unimi.it Abstract static analysis obfuscations, but they only observe a single execution path. Malware can exploit this limitation by em- Malware p rograms that incorp orate trigger-based be- ploying trigger-based behaviors such as time-bombs, logic- havior initiate malicious activities based on conditions sat- bombs, bot-command inputs, and testing the presence of an- isfi ed only by sp ecifi c inp uts. State-of -the-art malware an- alyzers, to hide its intended behavior. alyzers discover code guarded by triggers via multip le p ath Recent analyzers provide a powerful way to discover exp loration, symbolic execution, or f orced conditional exe- trigger based malicious behavior in arbitrary malicious pro- cution, all without knowing the trigger inp uts. We p resent grams. Moser et al. proposed a scheme [28] that explores a malware obf uscation technique that automatically con- multiple paths during execution of a malware. After ex- ceals sp ecifi c trigger-based behavior f rom these malware ploring a branch, their technique resumes execution from analyzers. Our technique automatically transf orms a p ro- a previously saved