To fight the ever-increasing proliferation of novel malware, antivirus (AV) vendors have turned to emulation-based automated dynamic malware analysis. Malware authors have responded by creating malware that attempts to evade detection by behaving benignly while running in an emulator. Malware may detect emulation by looking for emulator “fingerprints” such as unique environmental values, timing inconsistencies, or bugs in CPU emulation.
Due to their immense complexity and the expert knowledge required to effectively analyze them, reverse-engineering AV emulators to discover fingerprints is an extremely challenging task. As an alternative, researchers have demonstrated fingerprinting attacks using simple black-box testing, but these techniques are slow, inefficient, and generally awkward to use.
We propose a novel black-box technique to efficiently extract emulator fingerprints without reverse-engineering. To demonstrate our technique, we implemented an easy-to-use tool and API called AVLeak. We present an evaluation of AVLeak against several current consumer AVs and show emulator fingerprints derived from our experimentation. We also propose a classification of fingerprints as they apply to consumer AV emulators. Finally, we discuss the defensive implications of our work, and future directions of research in emulator evasion and exploitation.