Discussion · bonfire.mavnn.eu

Just trying to understand the phrase "malware analysis evasion and counter-evasion" (https://dl.acm.org/doi/10.1145/3150376.3150378) is like evaluating a formula with nested negations. "malware" (bad!), "analysis" (good!), "evasion" (bad!) "and counter-evasion" (and also good!)

Lindsey Kuper

@[email protected] · 3 months ago

This isn't my area, but it seems that some kinds of malware have clever ways to detect that they're being run under emulation (because running malware under emulation is a thing that folks who are trying to analyze malware would do), and then behave differently if so (which, of course, makes the analyst's job harder).

Lindsey Kuper

@[email protected] · 3 months ago

It's sensible to say that a notion of "correctness" for an emulator could be something like "observationally equivalent to the system being emulated". And of course we know from work like @wilbowma's https://dl.acm.org/doi/10.1145/2784731.2784733 that "observer" is just another word for "attacker". But even so, I honestly hadn't thought about the possibility that code run under emulation might be trying to *actively detect* that it's being run under emulation and purposely behave differently then. Dang, I feel naive

Lindsey Kuper

@[email protected] · 3 months ago

My student @tgoodwin pointed out that this is exactly like the Volkswagen emissions scandal. It's the perfect analogy. Volkswagens are malware

Per Vognsen

@[email protected] · 3 months ago

@lindsey I think using emulation has become much more common for malware analysis but traditionally people used debuggers for that kind of thing and anti-debugging has been common since the mid-1990s as I remember it. https://anti-debug.checkpoint.com/

Lindsey Kuper

@[email protected] · 3 months ago

@pervognsen Interesting, thanks! I'm new to all this, but that tracks, since debuggers are conceptually similar to emulators!

Lindsey Kuper

@[email protected] · 3 months ago

Do security researchers ever get confused as to whether they're the good guys or the bad guys?

abadidea

@[email protected] · 3 months ago

@lindsey @at it’s a “think like a thief” situation. You have to think the evil stuff is cool and beautiful from a technical standpoint or you won’t be able to understand it well enough to shut it down.

Karl Thomas

@[email protected] · 3 months ago

@0xabad1dea @lindsey @at Hello, Good day and how is the climate over there??

Troed Sångberg

@[email protected] · 3 months ago

@0xabad1dea

The title of one of the presentations I currently do is "Think like a hacker".

Precisely because if you don't, you're not securing the right things ...

@lindsey @at

Michael Newton

@mavnn · 3 months ago

@[email protected] @[email protected] @[email protected] At least one of my university friends became a sysadmin partly because he felt that it would otherwise be too tempting to try and poke around other people's systems.

Ryan Castellucci (they/them) :nonbinary_flag:

@[email protected] · 3 months ago

@lindsey me personally? no. others? definitely.

Mathias Payer

@[email protected] · 3 months ago

@lindsey simple answer: to develop a strong defense you must understand offense along with most likely attack vectors. Usually, those that write and talk about it are the "good guys" ;)

Lindsey Kuper

@[email protected] · 3 months ago

@gannimo I could never be one of the bad guys, then -- I like public writing and talking too much!