Attacks upon computer systems are increasingly becoming more sophisticated and targeted. One particular type of threat, known as an advanced persistent threat (APT), refers to targeted attacks that aggressively pursue and compromise chosen targets, and is commonly associated with a government or other entity that has the resources to maintain such an attack. Often, such a long-term pattern of attacks is aimed at other governments or companies. Individuals are usually not referred to as being an advanced persistent threat because they rarely have the resources to launch a sophisticated attack or to be persistent. An advanced persistent threat is often characterized by targeting a specific organization or individual, deploying sophisticated self-defense techniques, covering tracks in order to maintain future access, etc.
One of the sophisticated self-defense techniques addresses the use of an emulator to detect malicious software. As known, emulation is an effective dynamic malware analysis technique. Many malware analysis tools make use of an emulator such as Trend Micro's SandCastle, JoeBox software, the Anubis service, the CWSandbox service, etc. Most all of these emulators collect the behavior of an executing malware sample by monitoring the invocation of system API functions. But, advanced malware uses a variety of self-defense techniques to detect the existence of an emulator. Such malware includes embedded code specifically written to detect that the malware is actually executing inside of an emulator instead of natively on the host computer. Using this code, if the malware determines that it is executing inside of an emulator then it will simply terminate (or otherwise cease its malicious behavior), thus thwarting the efforts of the emulator to collect its malicious behavior and characterize the malware.
Because such malware is becoming more sophisticated at using these self-defense techniques, further techniques are desired to counter these self-defense techniques in order to continue to collect malicious behavior of a malware sample.