Member Article

Kaspersky Lab patents emulation enhancement technology

Kaspersky Lab has announced it has patented a system which helps to prevent malware from detecting emulation during antivirus analysis. Patent 8555386 issued by the United States Patent and Trademark Office describes methods of improving the emulator in such a way as to make its work indistinguishable from the OS’s normal operation to the malicious program being analysed.

Developers of security solutions use emulation to find out whether programs are malicious without the risk of infecting the computer. This involves running the file being analysed in an isolated virtualised environment which uses software tools to emulate the operation of hardware and the operating system. In this mode, the security solution can analyse the operations performed by the program in question and detect malicious code.

Cybercriminals use a variety of techniques to block or hamper analysis of their malware in virtualised environments. Many of these techniques are based on specific emulator implementation issues: emulators typically reproduce the operation system’s functionality only to some extent. This simplification helps to improve performance and save resources, but at the same time it makes the security system vulnerable to various anti-emulation techniques. Cybercriminals can design their malware to check whether it is running under an emulator. If emulation is detected, the malware can stop any malicious activity, improving its chances of evading detection by the security solution.

One anti-emulation technique works as follows: the malware calls a system function, which in turn calls several other, intermediate functions. When the program is executed in an emulator, only some of the calls in this chain are reproduced. The anti-emulation technique is based on detecting the absence of function calls which would be present in a real operating system.

The system patented by Kaspersky Lab does not behave in the same way as conventional emulators: it reproduces in sequence all the function calls, including the operating system’s kernel functions that perform such operations as file reading and writing. Up to a certain point, the system’s operation is identical to that of a real OS, which renders most anti-emulation techniques used by malware writers ineffective. As a result, the malware regards the environment in which it is running as being real rather than virtualised and therefore launches its malicious activity. This enables anti-malware technologies to detect and block the threat.

“The idea on which the technology is based involves ‘persuading’ the malware that it is running on a real system. As a result, it has no reason to hide its malicious functionality. This technology will bring the quality of detection provided by our security solutions to a new level,” commented Sergey Belov, Principal Security Researcher at Kaspersky Lab and the inventor of the newly patented technology.

The technology has already proved its effectiveness in internal testing conducted by the company. In future, it will be implemented in Kaspersky Lab products for home and corporate users.

Kaspersky Lab has an extensive patent portfolio, in which most patents describe protection technologies. As of mid-2013, the company had 174 patents issued in the US, Russia, EU and China. Applications for 211 more patents have been filed with patent authorities.

About Kaspersky Lab

Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.

* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report “Worldwide Endpoint Security 2013–2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2012.

This was posted in Bdaily's Members' News section by Alice Collins .