In my
previous post, I spoke about how automated systems such as the Norman Sandbox and Anubis are easily blinded with simple environment checks.
Christopher Kruegel of Secure Systems Lab of the Vienna University of Technology replied with the following:
"This is definitely a valid concern, and a problem that every dynamic analysis environment faces. actually, we have thought quite a bit about this problem, and we have published a paper that presents a possible solution (it has been accepted at the IEEE Symposium on Security and Privacy, check it out at http://www.seclab.tuwien.ac.at/papers/explore.pdf ). in a nutshell, this paper describes a system that allows us to explore multiple executions paths. to this end, we are trying to locate "interesting" checks that the malware performs (e.g., check for the current directory) and explore both paths (one path when the check succeeds, and the alternative path when the check fails). in the case you described above, the first execution path would yield nothing, while the second path would show the malicious activity (together with the information that the current directory must be the Outlook directory to see this behavior)."
This works by taking snapshots of the executable being run for each decision to be made, running through the code and then restoring that previously stored state in order to follow a different execution path. They were able to do this by creating a Qemu extension which is able to identify the memory mapped for the specific executable being analyzed. This extension is currently works in progress and will be included later on as part of Anubis. Personally, I'm really looking forward for this to become publicly available.
