- 學位論文
在 Android 惡意程式中定位模擬器檢測的程式碼區段
Locating Anti-Emulator Code in Android Malware
摘要
惡意程式開發與分析偵測一直都是攻擊方和防禦方的軍備競賽,主流的分析方法會結合動態與靜態分析來試圖截長補短。對於惡意程式開發者而言,如何去規避分析不讓自己的惡意行為被輕易逆向分析出來,就成為一個相當重要的課題。對於分析人員來說,動態分析對於要瞭解程式行為是不可或缺的一環,然而去針對動態分析的規避行為也相當普遍,其中最常見的就是去檢測大部分動態分析方案皆需要的模擬器環境,這導致在做大規模程式分析時的效果不彰。因此,能夠定位出這些針對動態分析環境的規避行為,對於徹底解析惡意程式有實質上的幫助。 有鑑於模擬器檢測手法一直推陳出新,傳統基於靜態特徵來找出模擬器檢測的方法經常不再堪用。因此,我們開發了名叫 SADroid 的系統,透過靜態輔助動態 (Static-Aided Dynamic) 的分析方法,試圖找到模擬器檢測 (反模擬器) 在程式碼中的哪些片段,並找到這些在近期版本的模擬器上的確能夠改變程式行為的檢測方法。這些檢測方法可作為惡意程式開發者的利器。
並列摘要
Malware development and analysis is an ongoing arms race between attackers and defenders. Mainstream analysis designs often combine dynamic and static analysis in an attempt to complement each other’s weaknesses. For malware developers, how to evade analysis and not let their malicious behavior be easily reversed and analyzed becomes a critical issue. While dynamic analysis is essential for analysts trying to understand program behavior, evasion of dynamic analysis is also common, with one of the most common designs being the detection of emulator environments which are required for many dynamic analysis approaches. This leads to poor performance when conducting large-scale program analysis. Therefore, the ability to identify these evasion behaviors targeted at dynamic analysis environments is substantially helpful in thoroughly analyzing malware. Given that techniques for detecting emulator environments are constantly evolving, traditional static feature-based approaches for detecting emulator environments are often no longer effective. As such, we have developed a system called SADroid that uses static-aided dynamic analysis to identify segments of code in programs that are used for detecting emulator environments (anti-emulation) and finding techniques that can alter program behavior on latest emulator versions, which can be used as tools by malware developers.