Detecting emulated environment

Abstract

QEMU is being widely used for emulating hardware. The emulation technology can be applied to various fields, one of the good example is dynamic malware analysis. A number of state-of-the-art malware analysis platforms are based on the QEMU. As the emulation is popularly deployed to analyze the behavior, malwares equip themselves with various anti-emulation techniques to fingerprint the QEMU environment. Research communities start to develop stealthy malware analysis platforms that manipulate the run-time environment to make malware misapprehend it is running on a native environment.Despite the fact that malware analysis platforms are equipped with stealth technology, discrepancies created by complicated hardware logics are exploited by attacker to detect emulated environment. It's an arms race between attacker who wants to conceal malicious behavior and defender who wants to reveal undisclosed malware. This paper systematically locate previous timing based QEMU detection methods using lazy TLB emulation and introduce new detection mechanism based on the characteristic of Tiny Code Generator(TCG) and behavioral discrepancies in QEMU which could be easily exploited for detecting emulated environment with least privileges and higher detection rate than previous works. We hope this paper alarm research communities and drive them to consider it in developing stealthy malware analysis platform.