How Does Malware Use Rdtsc? A Study On Operations Executed By Malware With Cpu Cycle Measurement

Many malware programs execute operations for analysis evasion. They include sandbox detection through measurement of execution time or executed CPU cycles with a method that exploits the RDTSC instruction. Although the detection technique is widely known and well-studied, the actual usage of the RDTSC instruction by real malware has not yet been sufficiently clarified. In this paper, we present analysis results for RDTSC usage collected from more than 200,000 malware files. In this analysis, malware programs are searched for closely placed pairs of RDTSCs; then, code fragments surrounding these pairs are extracted. A system developed by the authors classifies the extracted code fragments into distinct groups based on their characteristics, according to a set of rules that matches the fragments with instruction patterns. The results indicate that malware programs measure the number of CPU cycles of diverse operations and can also execute the RDTSC instruction for other purposes, such as obfuscation and acquisition of random values.