AVLeak is a tool for fingerprinting consumer antivirus emulators through automated black box testing. AVLeak can be used to extract information from AV emulators that may be used to detect their presence and evade detection, including environmental artifacts, OS API behavioral inconsistencies, emulation of network connectivity, timing inconsistencies, and CPU emulator “red pills”.
These artifacts of emulation may be discovered through painstaking, time consuming binary reverse engineering, or through black box testing with malware that conditionally chooses to unpack or not unpack based on its emulated environment. The current state of the art in black box AV emulator fingerprinting is a lot like handwriting SQL injection queries with a web browser, while AVLeak is like using using SQLmap.
In this presentation I’ll demo AVLeak in use, and show real world artifacts derived using the tool that can be used to detect popular consumer AV emulators.