Explore an automated disarmament system for malware equipped with anti-sandboxing techniques in this Black Hat conference talk. Delve into the challenges posed by sophisticated malware like Citadel and Zeus/GameOver that employ host-fingerprinting and other evasion tactics. Learn about the SLIME system's approach to disarming malware, focusing on exit reasons and pre-activity termination. Discover key technologies such as malware palpation, Code Execution Integrity, and retroactive condition analysis. Examine the implementation of execution logging frameworks and techniques for camouflaging VM/sandbox artifacts. Witness a disarming demo targeting anti-VMWare and sandbox evasion techniques. Gain insights into the prevalence of anti-VM malware and discuss the effectiveness of virtual machines in malware protection. This comprehensive presentation provides valuable statistics on evasive malware in the real world and reports on large-scale sample analysis results.
Slime - Automated Anti-Sandboxing Disarmament System
Overview
Syllabus
Intro
Contents
Background
Use the sandbox, Luke
Malware strike back
Related work
Motivation
Challenges
black hat
Chthonic anti-sandboxing
Type of anti-sandboxing
Environment awareness
Artifact fingerprinting
Execution environment fingerprinting
Execution timing detection
SLIME key technologies
Concept: malware palpatio
Malware palpation
Code Execution Integrity CEI
Execution branch detection
Retroactive condition analysis
Implementation
Execution logging framework
Camouflaging VM/sandbox related artifact existence
Disarming demo
Anti-VMWare
Sandbox evasion
Dataset
Are Anti-VM Too Few?
Offtopic: Artifact finding by Yara
Can Virtual Machine Protects You from Malware?
Conclusion
Taught by
Black Hat
