Research buzz: Undercover technology
Question of the week: What is the antivirus setting called DeepScreen?
DeepScreen is a new technology inside avast! Antivirus 2014. When you are about to run a suspicious program which is not yet known to the other core antivirus technologies, DeepScreen is invoked. Its task is to simply distinguish between good and bad software. Although it seems obvious and simple, it is not.
How DeepScreen uses The Force for good
This (magic) technology is served by two software components (the Jedi, if you will) which work hand-in-hand. One of them is well known from the past: The avast! Sandbox.
When a file is “DeepScreened,” it is actually run in the Sandbox, which is mainly responsible for keeping things isolated while watching for various high-level events and behavior of the program running. For example, it monitors the system call invocation and overall behavior of the program which is being executed. This seems to be just enough to distinguish between the Dark Side and the Light Side of the Force, but unfortunately, it is not that simple.
Firstly, how can you tell good and bad behavior apart? There are plenty of legitimate software products that use “weird” techniques to protect themselves. On the other hand, there is a bunch of malware samples that look innocent and behave well.
Secondly, malware is used to hiding away from the vigilant eyes of the Sandbox. The most common and powerful technique is encryption. In fact, there are more ways of encrypting and packing these well - known bad guys and rendering them undetectable than there are distinct malware samples.
SafeMachine: The new Jedi Order
With the latest version of avast! Antivirus 2014, this technology is fully involved in fighting the bad guys. Whenever DeepScreen runs something in the Sandbox, it also performs binary instrumentation of the process.
So what exactly is dynamic binary instrumentation? It is a fine-grained analysis of the running code, achieved by disassembling it on the fly, instruction by instruction, and watching for interesting low-level code events and their effects on the underlying memory. This way we can see various obfuscation techniques used mainly to delay the execution of the “bad code” in order to avoid its detection by the behavioral shield. We are also able to see the diverse decryption loops and the memory buffers where these decryption loops decrypt their payload. This is the most important SafeMachine 2 feature. In other words, we let the bad guy reveal himself and then we fling him out naked to our string scanner, which in turn looks for well-known malware patterns and… Hey look, there is a string we already know!
Is this approach successful, is there any measurable gain in the number of detections?
Absolutely! After approximately three months of this technology working, we have seen a nearly 15% growth in detections in DeepScreen contributed by the SafeMachine technology. And almost all of these malware samples were known before; they were just so obfuscated and packed, that the static analysis couldn’t see them.
Here in Avast research, we are constantly enhancing and bettering this technology to reach its full detection potential and to increase the level of your protection.
The author would like to thank to all of his colleagues who have been pushing this technology to a new level over the past two years, namely Jakub Jermar who put an incredibly huge amount of his work into this beast, Jan Gahura author of the original DBI concept and the first version of SafeMachine, and Research and Virus Lab teams who made this happen. Credits go to Brett Jordan for the picture of Darth Vader in trouble.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.