Emulation: how low will you go...

Kurt Natvig, Norman ASA, Norway.

The presentation will cover three main areas:

1. Emulator tricks in compressors. I will present quite a few tricks pulled by compressors and malware to avoid emulation

2. How deep inside malware emulation must we go to get to the "good" stuff? I will present how many layers, concurrent processes, threads, etc and the complexity of the OS to be able to go through to get there, e.g the DNSchange nullsoft installers. I will also walk through some complex compressors like Themida to demonstrate how deep we must go.

3. Automation & information gathering. I will demonstrate how we use our Norman SandBox Analyzer to gather a lot of information about executable files.