Anti-Emulation Time Lock Puzzles
Tim Ebringer The University of Melbourne
A common anti-emulation trick is to introduce loops that take a relatively long time to compute. The loop may in fact take so long to emulate that the antivirus scanner gives up. This paper formalises this approach, using a well-known system from the cryptographic literature called time-lock puzzles. In essence, a packed binary can be quickly created by an attacker which is guaranteed to require a predefined and easily adjustable number of computationally expensive operations to rebuild a cryptographic key. This key is then used in a strong cryptographic cypher to decrypt the next stage. Although this approach bears some similarity to the brute-force guessing of keys used by the 1998IDEA.6155 virus, permits a completely adjustable workload and guarantees no shortcuts are possible. It could pose a serious nuisance to AV emulators if such a method was included as the middle stage of a polymorphic packer. This could be mitigated by blacklisting the packer since there is no reason why legitimate software would be packed in a way that significantly delays execution, though care would need to be taken as the puzzle-solving code is exactly the same as RSA encryption/decryption.
The packer has now become ubiquitous in the malware scene. An in-the-wild trojan that has not been horrifically post-processed into awful blobs of self-modifying assembler is nowadays a quaint curiosity. It didn’t use to be like this. Software engineers used to respect and appreciate the packers a clever piece of technology that allowed their application to fit on a single floppy disk, rather than two, thereby reducing distribution costs.timelock