ABSTRACT
Malware is one of the biggest security threats on the Internet today and deploying effective defensive solutions requires the rapid analysis of a continuously increasing number of malware samples. With the proliferation of metamorphic malware the analysis is further complicated as the efficacy of signature-based static analysis systems is greatly reduced. While dynamic malware analysis is an effective alternative, the approach faces significant challenges as the ever increasing number of samples requiring analysis places a burden on hardware resources. At the same time modern malware can both detect the monitoring environment and hide in unmonitored corners of the system.
In this paper we present DRAKVUF, a novel dynamic malware analysis system designed to address these challenges by building on the latest hardware virtualization extensions and the Xen hypervisor. We present a technique for improving stealth by initiating the execution of malware samples without leaving any trace in the analysis machine. We also present novel techniques to eliminate blind-spots created by kernel-mode rootkits by extending the scope of monitoring to include kernel internal functions, and to monitor file-system accesses through the kernel's heap allocations. With extensive tests performed on recent malware samples we show that DRAKVUF achieves significant improvements in conserving hardware resources while providing a stealthy, in-depth view into the behavior of modern malware.
- D. Balzarotti, M. Cova, C. Karlberger, E. Kirda, C. Kruegel, and G. Vigna. Efficient detection of split personalities in malware. In NDSS, 2010.Google Scholar
- U. Bayer, E. Kirda, and C. Kruegel. Improving the efficiency of dynamic malware analysis. In Proceedings of the 2010 ACM Symposium on Applied Computing. ACM, 2010. Google ScholarDigital Library
- B. Bencsáth, G. Pék, L. Buttyán, and M. Félegyházi. Duqu: Analysis, detection, and lessons learned. In ACM European Workshop on System Security (EuroSec), volume 2012, 2012.Google Scholar
- R. R. Branco, G. N. Barbosa, and P. D. Neto. Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies, 2012.Google Scholar
- J. Bremer. Blackhat 2013 workshop: Cuckoo sandbox - open source automated malware analysis. http://cuckoosandbox.org/2013-07-27-blackhat-las-vegas-2013.html, 2013.Google Scholar
- D. Bueno, K. J. Compton, K. A. Sakallah, and M. Bailey. Detecting traditional packers, decisively. In Research in Attacks, Intrusions, and Defenses. Springer, 2013.Google ScholarDigital Library
- M. Carbone, M. Conover, B. Montague, and W. Lee. Secure and robust monitoring of virtual machines through guest-assisted introspection. In Research in Attacks, Intrusions, and Defenses, volume 7462 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2012. Google ScholarDigital Library
- Z. Deng, X. Zhang, and D. Xu. Spider: Stealthy binary program instrumentation and debugging via hardware virtualization. In Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC '13, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
- A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM conference on Computer and communications security. ACM, 2008. Google ScholarDigital Library
- B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel data structures. In Proceedings of the 16th ACM conference on Computer and communications security. ACM, 2009. Google ScholarDigital Library
- M. Egele, T. Scholte, E. Kirda, and C. Kruegel. A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys (CSUR), 44, 2012. Google ScholarDigital Library
- Z. Gu, Z. Deng, D. Xu, and X. Jiang. Process implanting: A new active introspection framework for virtualization. In Reliable Distributed Systems (SRDS), 2011 30th IEEE Symposium on. IEEE, 2011. Google ScholarDigital Library
- F. Guo, P. Ferrie, and T.-C. Chiueh. A study of the packer problem and its solutions. In Recent Advances in Intrusion Detection. Springer, 2008. Google ScholarDigital Library
- Z. Hanif, T. Calhoun, and J. Trost. Binarypig: Scalable static binary analysis over hadoop, 2013.Google Scholar
- D. Harley. http://www.welivesecurity.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain/, February 3 2014.Google Scholar
- X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM conference on Computer and communications security. ACM, 2007. Google ScholarDigital Library
- P. Kleissner. The art of bootkit development, 2011.Google Scholar
- C. Kolbitsch, E. Kirda, and C. Kruegel. The power of procrastination: detection and mitigation of execution-stalling malicious code. In Proceedings of the 18th ACM conference on Computer and communications security. ACM, 2011. Google ScholarDigital Library
- H. A. Lagar-Cavilla, J. A. Whitney, A. M. Scannell, P. Patchin, S. M. Rumble, E. De Lara, M. Brudno, and M. Satyanarayanan. Snowflock: rapid virtual machine cloning for cloud computing. In Proceedings of the 4th ACM European conference on Computer systems. ACM, 2009. Google ScholarDigital Library
- J. Leitch. Process hollowing. http://www.autosectools.com/process-hollowing.pdf, November 4 2013.Google Scholar
- T. K. Lengyel, J. Neumann, S. Maresca, and A. Kiayias. Towards hybrid honeynets via virtual machine introspection and cloning. In Network and System Security. Springer, 2013.Google ScholarCross Ref
- LibVMI. https://code.google.com/p/vmitools.Google Scholar
- A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Security and Privacy, 2007. SP'07. IEEE Symposium on. IEEE, 2007. Google ScholarDigital Library
- A. Moser, C. Kruegel, and E. Kirda. Limits of static analysis for malware detection. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual. IEEE, 2007.Google ScholarCross Ref
- J. S. Okolica and G. L. Peterson. Extracting forensic artifacts from windows o/s memory. Technical report, DTIC Document, 2011.Google Scholar
- B. D. Payne, M. de Carbone, and W. Lee. Secure and flexible monitoring of virtual machines. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual. IEEE, 2007.Google ScholarCross Ref
- G. Pék, B. Bencsáth, and L. Buttyán. nether: In-guest detection of out-of-the-guest malware analyzers. In Proceedings of the Fourth European Workshop on System Security. ACM, 2011. Google ScholarDigital Library
- Rekall. https://github.com/google/rekall.Google Scholar
- J. Rhee, R. Riley, D. Xu, and X. Jiang. Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In Recent Advances in Intrusion Detection. Springer, 2010. Google ScholarDigital Library
- A. Roberts, R. McClatchey, S. Liaquat, N. Edwards, and M. Wray. Introducing pathogen: A real-time virtual machine introspection framework. Technical report, HP, 2013.Google Scholar
- P. Royal, M. Halpin, D. Dagon, R. Edmonds, and W. Lee. Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In Computer Security Applications Conference, 2006. ACSAC'06. 22nd Annual. IEEE, 2006. Google ScholarDigital Library
- ShadowServer. The shadowserver foundation. https://shadowserver.org, February 4 2014.Google Scholar
- VirusTotal. Free online virus, malware and url scanner. http://virustotal.com, February 4 2014.Google Scholar
- S. Vogl, F. Kilic, C. Schneider, and C. Eckert. X-tier: Kernel module injection. In Network and System Security. Springer, 2013.Google ScholarCross Ref
- Volatility. https://github.com/volatilityfoundation/volatility.Google Scholar
- M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, fidelity, and containment in the potemkin virtual honeyfarm. In ACM SIGOPS Operating Systems Review, volume 39. ACM, 2005. Google ScholarDigital Library
- C. Willems, T. Holz, and F. Freiling. Toward automated dynamic malware analysis using cwsandbox. Security & Privacy, IEEE, 5(2), 2007. Google ScholarDigital Library
- C. Willems, R. Hund, and T. Holz. Cxpinspector: Hypervisor-based, hardware-assisted system monitoring. Technical report, Ruhr-Universitat Bochum, 2013.Google Scholar
- J. Wyke. The zeroaccess rootkit. http://sophosnews.files.wordpress.com/2012/04/zeroaccess2.pdf, 2012.Google Scholar
Index Terms
- Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system
Recommendations
Malware Dynamic Analysis Evasion Techniques: A Survey
The cyber world is plagued with ever-evolving malware that readily infiltrate all defense mechanisms, operate viciously unbeknownst to the user, and surreptitiously exfiltrate sensitive data. Understanding the inner workings of such malware provides a ...
Malware Analysis: Tools and Techniques
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive StrategiesMalicious code is a serious issue which regularly threatens the security of computer systems and act as a challenging task for cyber security& Information security personals. Malicious code is named differently according to their specification such as ...
Architecture for Resource-Aware VMI-based Cloud Malware Analysis
SHCIS '17: Proceedings of the 4th Workshop on Security in Highly Connected IT SystemsVirtual machine introspection (VMI) is a technology with many possible applications, such as malware analysis and intrusion detection. However, this technique is resource intensive, as inspecting program behavior includes recording of a high number of ...
Comments