Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis

The detection of malware analysis environments has become popular and commoditized. Detection techniques previously reserved for more sophisticated forms of malware are now available to any novice cyber criminal. The use of next-generation virtualizationbased malware analysis technologies considerably reduces the number of possible transparency shortcomings, but still fails to handle pathologically resistant malware instances that will only run on physical hardware. Traditionally, the execution of malware on physical (or baremetal) hardware has been useful for one or a handful of malware samples of interest. However, this activity was manually driven and time intensive (e.g., infect, study, format, reinstall). This paper proposes a way to resolve these long-outstanding shortcomings by describing the design and implementation of a scalable, automated baremetal malware analysis system, which can be constructed using inexpensive commodity hardware and freely available technologies.