Impeding Malware Analysis Using Conditional Code Obfuscation

Malware programs that incorporate trigger-based be- havior initiate malicious activities based on conditions sat- isfied only by specific inputs. State-of-the-art malware an- alyzers discover code guarded by triggers via multiple path exploration, symbolic execution, or forced conditional exe- cution, all without knowing the trigger inputs. We present a malware obfuscation technique that automatically con- ceals specific trigger-based behavior from these malware analyzers. Our technique automatically transforms a pro- gram by encrypting code that is conditionally dependent on an input value with a key derived from the input and then removing the key from the program. We have implemented a compiler-level tool that takes a malware source program and automatically generates an obfuscated binary. Exper- iments on various existing malware samples show that our tool can hide a significant portion of trigger based code. We provide insight into the strengths, weaknesses, and possible ways to strengthen current analysis approaches in order to defeat this malware obfuscation technique.