Impeding Malware Analysis Using Conditional Code Obfuscation

Malware programs that incorporate trigger-based behavior initiate malicious activities based on conditions satisfied only by specific inputs. State-of-the-art malware analyzers discover code guarded by triggers via multiple path exploration, symbolic execution, or forced conditional execution, all without knowing the trigger inputs. This paper presents a malware obfuscation technique that automatically conceals specific trigger-based behavior from these malware analyzers. Their technique automatically transforms a program by encrypting code that is conditionally dependent on an input value with a key derived from the input and then removing the key from the program. They have implemented a compiler-level tool that takes a malware source program and automatically generates an obfuscated binary.