Jump to content
Tuts 4 You

Anti-Emulation Through Time-Lock Puzzles

Teddy Rogers

About This File

A common anti-emulation trick is to introduce loops that take a relatively long time to compute. The loop may in fact take so long to emulate that the antivirus scanner gives up.

This paper formalises this approach, using a well-known system from the cryptographic literature called time-lock puzzles. In essence, a packed binary can be quickly created by an attacker which is guaranteed to require a predefined and easily adjustable number of computationally expensive operations to rebuild a cryptographic key. This key is then used in a strong cryptographic cipher to decrypt the next stage.

Although this approach bears some similarity to the brute-force guessing of keys used by the 1998 IDEA.6155 virus, it permits a completely adjustable workload, and guarantees no shortcuts are possible.

It could pose a serious nuisance to AV emulators if such a method was included as the middle stage of a polymorphic packer. This could be mitigated by blacklisting the packer, since there is no reason why legitimate software would be packed in a way that significantly delays execution, though care would need to be taken as the "puzzle" solving code is exactly the same as RSA encryption/decryption.

User Feedback

Recommended Comments

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...