How Does Malware Use Rdtsc? A Study On Operations Executed By Malware With Cpu Cycle Measurement
DETECTION OF INTRUSIONS AND MALWARE, AND VULNERABILITY ASSESSMENT (DIMVA 2019)(2019)
Abstract
Many malware programs execute operations for analysis evasion. They include sandbox detection through measurement of execution time or executed CPU cycles with a method that exploits the RDTSC instruction. Although the detection technique is widely known and well-studied, the actual usage of the RDTSC instruction by real malware has not yet been sufficiently clarified. In this paper, we present analysis results for RDTSC usage collected from more than 200,000 malware files. In this analysis, malware programs are searched for closely placed pairs of RDTSCs; then, code fragments surrounding these pairs are extracted. A system developed by the authors classifies the extracted code fragments into distinct groups based on their characteristics, according to a set of rules that matches the fragments with instruction patterns. The results indicate that malware programs measure the number of CPU cycles of diverse operations and can also execute the RDTSC instruction for other purposes, such as obfuscation and acquisition of random values.
MoreTranslated text
Key words
Malware, RDTSC instruction, Analysis evasion, Anti-analysis, Sandbox, Virtualization
AI Read Science
Must-Reading Tree
Example
Generate MRT to find the research sequence of this paper
Chat Paper
Summary is being generated by the instructions you defined