Malware authors try to hide from malware analysts or security researchers with plenty of techniques. They can seriously make it hard to analyze their code or simply run the malware on automated tools for mass scale analysis. People are developing more and more tools, ideas about how to overcome all of these challenges. However, there has been very little public research about how we could utilize this against the malware itself for our benefits.
The idea is very simple, let’s try to show the malware that it’s running on a researcher’s computer in order to hope that it will simply terminate itself and not infect the actual machine. The goal here is not to analyze the malicious code, but to protect computers from it. Of course, this is not effective against every malware, but if we can eliminate even 1% of them with this, without developing signatures it’s already a success.
In my talk, I will briefly go over the most popular techniques used by malware and I will show a couple of real world examples to those. After it I will present three simple proof of concept tools that I created, which will make the client’s computer to look like a malware researcher’s machine. One is a kernel driver, the other is a simple Windows application. These tools will focus on few of the initially presented methods. I will also talk about other ways these ideas could be implemented.