ABSTRACT
Malware analysis can be an efficient way to combat malicious code, however, miscreants are constructing heavily armoured samples in order to stymie the observation of their artefacts. Security practitioners make heavy use of various virtualization techniques to create sandboxing environments that provide a certain level of isolation between the host and the code being analysed. However, most of these are easy to be detected and evaded. The introduction of hardware assisted virtualization (Intel VT and AMD-V) made the creation of novel, out-of-the-guest malware analysis platforms possible. These allow for a high level of transparency by residing completely outside the guest operating system being examined, thus conventional in-memory detection scans are ineffective. Furthermore, such analyzers resolve the shortcomings that stem from inaccurate system emulation, in-guest timings, privileged operations and so on.
In this paper, we introduce novel approaches that make the detection of hardware assisted virtualization platforms and out-of-the-guest malware analysis frameworks possible. To demonstrate our concepts, we implemented an application framework called nEther that is capable of detecting the out-of-the-guest malware analysis framework Ether [6].
- U. Bayer, C. Kruegel, and E. Kirda. Ttanalyze: A tool for analyzing malware, 2006.Google Scholar
- F. Bellard. QEMU, a Fast and Portable Dynamic Translator. In USENIX Annual Technical Conference, FREENIX Track, pages 41--46, 2005. Google ScholarDigital Library
- X. Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In Proceedings of the 38th Annual IEEE International Conference on Dependable Systems and Networks (DSN '08), pages 177--186, Anchorage, Alaska, USA, June 2008.Google Scholar
- I. Corporation. Intel®64 and IA-32 Architectures Software Developer's Manual, June 2009.Google Scholar
- I. Corporation. Intel®Core#8482; 2 Duo Processor for Intel®Centrino®Duo Processor Technology Specification Update. http://download.intel.com/design/mobile/SPECUPDT/31407918.pdf, September 2010.Google Scholar
- A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In CCS '08: Proceedings of the 15th ACM conference on Computer and communications security, pages 51--62, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- P. Ferrie. Attacks on virtual machine emulators. Symantec Advanced Threat Research, 2006.Google Scholar
- Malware Analysis System, CWSandbox: Behaviour-based Malware Analysis. http://mwanalysis.org/.Google Scholar
- Norman Sandbox Whitepaper. http://download.norman.no/whitepapers/whitepaper_Norman_SandBox.pdf, 2003.Google Scholar
- R. Paleari, L. Martignoni, G. Fresi, and R. D. Bruschi. A fistful of red-pills: How to automatically generate procedures to detect cpu emulators. In In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT, 2009. Google ScholarDigital Library
- T. Raffetseder, C. Kruegel, and E. Kirda. Detecting system emulators. In Information Security Conference (ISC 2007), Oct 2007. Google ScholarDigital Library
- P. Royal. Alternative Medicine: The Malware Analyst's Blue Pill. In Black Hat USA, Aug 2008.Google Scholar
- M. I. Sharif, W. Lee, W. Cui, and A. Lanzi. Secure in-vm monitoring using hardware virtualization. In CCS '09: Proceedings of the 16th ACM conference on Computer and communications security, pages 477--487, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- A. Vasudevan and R. Yerraballi. Stealth breakpoints. In 21st Annual Computer Security Applications Conference, 2005, pages 381--392, 2005. Google ScholarDigital Library
Index Terms
- nEther: in-guest detection of out-of-the-guest malware analyzers
Recommendations
Ether: malware analysis via hardware virtualization extensions
CCS '08: Proceedings of the 15th ACM conference on Computer and communications securityMalware has become the centerpiece of most security threats on the Internet. Malware analysis is an essential technology that extracts the runtime behavior of malware, and supplies signatures to detection systems and provides evidence for recovery and ...
Emulating emulation-resistant malware
VMSec '09: Proceedings of the 1st ACM workshop on Virtual machine securityThe authors of malware attempt to frustrate reverse engineering and analysis by creating programs that crash or otherwise behave differently when executed on an emulated platform than when executed on real hardware. In order to defeat such techniques ...
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends SymposiumAutomated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Comments