Fooling Automated Malware Analysis Systems


The number of APT attacks increases day by day and malware, which is a step in these attacks, poses a threat to the target organizations. These malwares targeting corporations are sent to teams for analysis while they are in suspicious condition and these teams sometimes use automated malware analysis systems while performing manual analysis operations according to the situation. The main purpose of automatical analysis systems is to facilitate the analyst's job by making the analytical time quicker by performing fast and time-consuming operations which must be done manually by the analyst and taking the time-consuming operations. It is not wrong to say that everything up to this point is very good and that they take action in the direction of the tools used by the analyst teams of the institutions and that the suspicious software is evaluated with the result of these actions. But the most critical question is: how much malware does the automatized tools produce, and what malware does the malware detect as malicious will not really cause problems, and can these automation systems be tricked? In this presentation, we will answer these 3 basic questions and the most important part is to apply the answers of the offensive questions in the presentation. How will we be able to test our technical knowledge as well as abundant technical knowledge in practice and successfully complete the process of deceiving our ultimate goal?


The flow of the presentation is as follows:


Location and purpose of malware in APT Attacks

What is dynamic analysis?

What are automation analysis systems, how do they work, what are the theoretical requirements and what are the requirements for producing perfect results?

Identification and analysis of malware analysis systems to the target automat? It will be practical to analyze how the target will be gathered from the isolated system to develop offensive codes and how intelligence will be provided in detail.

Development of offensive codes in order to deceive the collected information and target systems, live testing of the developments and the points to be considered when developing.

As a result of all this, hints about what analyst teams should be careful about and what changes should be made to the system by those who develop similar systems.


Detailed Talk Outline :

  • Introduction and terminology
  • Malware and specific detail
  • APT and examination
  • Goverments and companies protection way and technique
  • Automated Malware Analysis System(AMAS) architecture
  • List of our target to bypass(AMAS)
  • Attack methods, detection and realization
  • Defend
  • Questions
  • Finish