Top

Published in:

2020 | OriginalPaper | Chapter

PiDicators: An Efficient Artifact to Detect Various VMs

Authors : Qingjia Huang, Haiming Li, Yun He, Jianwei Tai, Xiaoqi Jia

Published in: Information and Communications Security

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Most malwares use evasion technologies to prevent themselves from being analyzed by sandbox systems. For example, they would hide their maliciousness if the presence of Virtual Machine (VM) is detected. A popular idea of detecting VM is to utilize the difference in instruction semantics between virtual environment and physical environment. Semantic detection has been widely studied, but existing works either have limited detection range (e.g. detect VMs on specific hypervisor) or cost too much time. And most methods are not available for various kinds of VMs while introducing acceptable performance overhead.

In this paper, we proposed FindPiDicators, a new approach to select a few indicators (e.g. registers) and cases (instruction execution) through complete experiments and statistical analysis. Using FindPiDicators, we obtain PiDicators, a lightweight artifact that consists of some test cases and indicators. We use PiDicators to detect the presence of VM and it offers several benefits. 1) It could accurately detect VM without the influence of operating system, hardware environment and hypervisor. 2) PiDicators does not rely on API calls, thus it is transparent and hard to resist. 3) The detection based on PiDicators is time-efficient, for only 31 cases are considered and four registers’ values are required for each case.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter rTLS: Lightweight TLS Session Resumption for Constrained IoT Devices

next chapter HCC: 100 Gbps AES-GCM Encrypted Inline DMA Transfers Between SGX Enclave and FPGA Accelerator

Afianian, A., Niksefat, S., Sadeghiyan, B.: Malware dynamic analysis evasion techniques: a survey. ACM Comput. Surv. 52(6), 126 (2019)

Bulazel, A., Yener, B.: A survey on automated dynamic malware analysis evasion and counter-evasion: PC, mobile, and web. In: Reversing and Offensive Oriented Trends Symposium, vol. 2 (2017)

Branco, R.R., Barbosa, G.N., Neto, P.D.: Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-VM technologies. In: Black Hat USA 2012 (2012)

Evolution of malware sandbox evasion tactics - a retrospective study. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/. Accessed 7 Mar 2020

Anti-VM and Anti-Sandbox Explained. https://www.cyberbit.com/blog/endpoint-security/anti-vm-and-anti-sandbox-explained/. Accessed 7 Mar 2020

Top Malwares that can do VM detection. https://hackernewsdog.com/vm-bypassing-escaping-infect-host-machine/. Accessed 20 Feb 2020

How malware detects virtualized environment (and its Countermeasures). https://resources.infosecinstitute.com/how-malware-detects-virtualized-environment-and-its-countermeasures-an-overview/. Accessed 7 Mar 2020

VMware Backdoor I/O Port. https://sites.google.com/site/chitchatvmback/backdoor. Accessed 7 Mar 2020

How to tell if a system is a VM in VMWare? https://forum.bigfix.com/t/how-to-tell-if-a-system-is-a-vm-in-vmware/29060. Accessed 7 Mar 2020

10.

rdtsc x86 instruction to detect virtual machines. https://blog.badtrace.com/post/rdtsc-x86-instruction-to-detect-vms/. Accessed 4 Mar 2020

11.

Nguyen, A., Schear, N., Jung, H.D., Godiyal, A., King, S., Nguyen, H.: MAVMM: lightweight and purpose built VMM for malware analysis. In: Computer Security Applications Conference, Annual, pp. 441–450 (2009)

12.

Oyama, Y.: How does malware use RDTSC? A study on operations executed by malware with CPU cycle measurement. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds.) DIMVA 2019. LNCS, vol. 11543, pp. 197–218. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_10CrossRef

13.

Sahin, O., Coskun, A.K., Egele, M.: Proteus: detecting android emulators from instruction-level profiles. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 3–24. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_1CrossRef

14.

Lok-Kwong, Y., Manjukumar, J., Mu, Z., Heng, Y.: V2E: combining hardware virtualization and software emulation for transparent and extensible malware analysis. In: Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution, pp. 227–238 (2012)

15.

Shi, H., Alwabel, A., Mirkovic, J.: Cardinal pill testing of system virtual machines. In: USENIX Security Symposium, pp. 271–285 (2014)

16.

Shi, H., Mirkovic, J., Alwabel, A.: Handling anti-virtual machine techniques in malicious software. ACM Trans. Priv. Secur. 21(1), 2 (2017)

17.

Martignoni, L., Paleari, R., Roglia, G.F., Bruschi, D.: Testing CPU emulators. In: International Symposium on Software Testing and Analysis, pp. 261–272 (2009)

18.

Setting up kernel-mode debugging. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-kernel-mode-debugging-in-windbg-cdb-or-ntsd. Accessed 26 Feb 2020

19.

Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 207–227. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_11CrossRef

20.

Blackthorne, J., Bulazel, A., Fasano, A., Biernat, P., Yener, B.: AVLeak: fingerprinting antivirus emulators through black-box testing. In: Proceedings of the 10th USENIX Workshop on Offensive Technologies (2016)

21.

Miramirkhani, N., Appini, M.P., Nikiforakis, N., Polychronakis, M.: Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: IEEE Symposium on Security and Privacy, pp. 1009–1024 (2017)

Title: PiDicators: An Efficient Artifact to Detect Various VMs
Authors: Qingjia Huang
Haiming Li
Yun He
Jianwei Tai
Xiaoqi Jia
Publisher: Springer International Publishing
Book: Information and Communications Security
Print ISBN: 978-3-030-61077-7

Electronic ISBN: 978-3-030-61078-4

Copyright Year: 2020
DOI: https://doi.org/10.1007/978-3-030-61078-4_15

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner