ABSTRACT
Present-day malware analysis techniques use both virtualized and emulated environments to analyze malware. The reason is that such environments provide isolation and system restoring capabilities, which facilitate automated analysis of malware samples. However, there exists a class of malware, called VM-aware malware, which is capable of detecting such environments and then hide its malicious behavior to foil the analysis. Because of the artifacts introduced by virtualization or emulation layers, it has always been and will always be possible for malware to detect virtual environments.
The definitive way to observe the actual behavior of VM-aware malware is to execute them in a system running on real hardware, which is called a "bare-metal" system. However, after each analysis, the system must be restored back to the previous clean state. This is because running a malware program can leave the system in an instable/insecure state and/or interfere with the results of a subsequent analysis run. Most of the available state-of-the-art system restore solutions are based on disk restoring and require a system reboot. This results in a significant downtime between each analysis. Because of this limitation, efficient automation of malware analysis in bare-metal systems has been a challenge.
This paper presents the design, implementation, and evaluation of a malware analysis framework for bare-metal systems that is based on a fast and rebootless system restore technique. Live system restore is accomplished by restoring the entire physical memory of the analysis operating system from another, small operating system that runs outside of the target OS. By using this technique, we were able to perform a rebootless restore of a live Windows system, running on commodity hardware, within four seconds. We also analyzed 42 malware samples from seven different malware families, that are known to be "silent" in a virtualized or emulated environments, and all of them showed their true malicious behavior within our bare-metal analysis environment.
- M. Labs, "Mcafee threats report: First quarter 2011," McAfee, Tech. Rep., 2011. {Online}. Available: https://secure.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2011.pdfGoogle Scholar
- T. Raffetseder, C. Kruegel, and E. Kirda, "Detecting system emulators."Google Scholar
- P. Ferrie, "Attacks on virtual machine emulators," Symantec Corporation, Tech. Rep., 2007.Google Scholar
- G. Pék, B. Bencsáth, and L. Buttyán, "nether: in-guest detection of out-of-the-guest malware analyzers," in Proceedings of the Fourth European Workshop on System Security, ser. EUROSEC '11. New York, NY, USA: ACM, 2011, pp. 3:1--3:6. Google ScholarDigital Library
- J. Rutkowska, "Red pill... or how to detect vmm using (almost) one cpu instruction," 2004. {Online}. Available: http://invisiblethings.org/papers/redpill.htmlGoogle Scholar
- A. Dinaburg, P. Royal, M. Sharif, and W. Lee, "Ether: malware analysis via hardware virtualization extensions," in Proceedings of the 15th ACM conference on Computer and communications security, ser. CCS '08. New York, NY, USA: ACM, 2008, pp. 51--62. Google ScholarDigital Library
- P. Royal, "Alternative medicine: The malware analyst's blue pill," Aug 2008.Google Scholar
- T. Garfinkel, K. Adams, A. Warfield, and J. Franklin, "Compatibility is Not Transparency: VMM Detection Myths and Realities," in Proceedings of the 11th Workshop on Hot Topics in Operating Systems (HotOS-XI), May 2007. Google ScholarDigital Library
- "Qwmu open source processor emulator." {Online}. Available: http://wiki.qemu.org/Google Scholar
- "Anubis: Analyzing unknown binaries." {Online}. Available: http://anubis.iseclab.org/Google Scholar
- R. Paleari, L. Martignoni, G. Fresi Roglia, and D. Bruschi, "A fistful of red-pills: How to automatically generate procedures to detect CPU emulators," in Proceedings of the 3 rd USENIX Workshop on Offensive Technologies (WOOT). Montreal, Canada: ACM. Google ScholarDigital Library
- D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G. Vigna, "Efficient Detection of Split Personalities in Malware," in Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2010.Google Scholar
- M. G. Kang, H. Yin, S. Hanna, S. McCamant, and D. Song, "Emulating emulation-resistant malware," EECS Department, University of California, Berkeley, Tech. Rep., May 2009.Google Scholar
- B. Lau and V. Svajcer, "Measuring virtual machine detection in malware using dsd tracer," Journal in Computer Virology, vol. 6, pp. 181--195, 2010, 10.1007/s11416-008-0096-y.Google ScholarCross Ref
- "Juzt-reboot." {Online}. Available: http://www.juzt-reboot.com/Google Scholar
- "Partimage." {Online}. Available: http://www.partimage.org/Google Scholar
- R. Hund, T. Holz, and F. C. Freiling, "Return-oriented rootkits: bypassing kernel code integrity protection mechanisms," in Proceedings of the 18th conference on USENIX security symposium, ser. SSYM'09. Berkeley, CA, USA: USENIX Association, 2009, pp. 383--398. Google ScholarDigital Library
- "Intel®64 and ia-32 architectures software developer's manual." {Online}. Available: http://www.intel.com/Assets/PDF/manual/325384.pdfGoogle Scholar
- "Fast memory copy." {Online}. Available: http://now.cs.berkeley.edu/Td/bcopy.htmlGoogle Scholar
- X. Jiang, X. Wang, and D. Xu, "Stealthy malware detection and monitoring through vmm-based "out-of-the-box" semantic view reconstruction," ACM Trans. Inf. Syst. Secur., vol. 13, pp. 12:1--12:28, March 2010. Google ScholarDigital Library
- X. Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario, "Towards an Understanding of Anti-Virtualization and Anti-Debugging Behavior in Modern Malware," in Proceedings of the 38th Annual IEEE International Conference on Dependable Systems and Networks (DSN '08), Anchorage, Alaska, USA, June 2008, pp. 177--186.Google Scholar
- N. Xiong, Y. Zhou, H. Liu, and Y. Zhang, "Avmm: Virtualize client with a bare-metal and asymmetric partitioning approach," Submitted, ICC 2011, Tech. Rep., 2011.Google Scholar
- A. Depoutovitch and M. Stumm, "Otherworld: giving applications a chance to survive os kernel crashes," in EuroSys, 2010, pp. 181--194. Google ScholarDigital Library
- K. Kourai, "Cachemind: Fast performance recovery using a virtual machine monitor," in Dependable Systems and Networks Workshops (DSN-W), 2010 International Conference on, 28 2010-july 1 2010, pp. 86--92. Google ScholarDigital Library
- K. Kourai, "Fast and correct performance recovery of operating systems using a virtual machine monitor," in Proceedings of the 7th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, ser. VEE '11. New York, NY, USA: ACM, 2011, pp. 99--110. Google ScholarDigital Library
- M. Baker and M. Sullivan, "The recovery box: Using fast recovery to provide high availability in the unix environment," in In Proceedings USENIX Summer Conference, 1992, pp. 31--43.Google Scholar
- "Norman sandbox analyzer." {Online}. Available: http://www.norman.com/products/sandbox_analyzer/enGoogle Scholar
Index Terms
- BareBox: efficient malware analysis on bare-metal
Recommendations
Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system
ACSAC '14: Proceedings of the 30th Annual Computer Security Applications ConferenceMalware is one of the biggest security threats on the Internet today and deploying effective defensive solutions requires the rapid analysis of a continuously increasing number of malware samples. With the proliferation of metamorphic malware the ...
Mixed-Mode Malware and Its Analysis
PPREW-4: Proceedings of the 4th Program Protection and Reverse Engineering WorkshopMixed-mode malware contains user-mode and kernel-mode components that are interdependent. Such malware exhibits its main malicious payload only after it succeeds at corrupting the OS kernel. Such malware may further actively attack or subvert malware ...
Malware Analysis: Tools and Techniques
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive StrategiesMalicious code is a serious issue which regularly threatens the security of computer systems and act as a challenging task for cyber security& Information security personals. Malicious code is named differently according to their specification such as ...
Comments