ABSTRACT
Malware has become the centerpiece of most security threats on the Internet. Malware analysis is an essential technology that extracts the runtime behavior of malware, and supplies signatures to detection systems and provides evidence for recovery and cleanup. The focal point in the malware analysis battle is how to detect versus how to hide a malware analyzer from malware during runtime. State-of-the-art analyzers reside in or emulate part of the guest operating system and its underlying hardware, making them easy to detect and evade. In this paper, we propose a transparent and external approach to malware analysis, which is motivated by the intuition that for a malware analyzer to be transparent, it must not induce any side-effects that are unconditionally detectable by malware. Our analyzer, Ether, is based on a novel application of hardware virtualization extensions such as Intel VT, and resides completely outside of the target OS environment. Thus, there are no in-guest software components vulnerable to detection, and there are no shortcomings that arise from incomplete or inaccurate system
emulation. Our experiments are based on our study of obfuscation techniques used to create 25,000 recent malware samples. The results show that Ether remains transparent and defeats the obfuscation tools that evade existing approaches.
- Anubis: Analyzing Unknown Binaries. http://anubis.seclab.tuwien.ac.at.Google Scholar
- Armadillo. http://www.siliconrealms.com.Google Scholar
- BitBlaze Binary Analysis Platform. http://bitblaze.cs.berkeley.edu.Google Scholar
- DYNINST API. http://www.dyninst.org.Google Scholar
- FileMon for Windows. http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx.Google Scholar
- Intel Virtualization Technology. http://www.intel.com/technology/virtualization.Google Scholar
- PEiD. http://www.peid.info.Google Scholar
- PEiDSO. http://handlers.sans.org/jclausing/userdb.txt.Google Scholar
- RegMon for Windows. http://technet.microsoft.com/en-us/sysinternals/bb896652.aspx.Google Scholar
- Themida. http://www.oreans.com/themida.php.Google Scholar
- VirtualPC. http://www.microsoft.com/windows/products/winfamily/virtualpc/.Google Scholar
- VMWare. http://www.vmware.com.Google Scholar
- Norman Sandbox Whitepaper. http://www.norman.com/documents/wp_sandbox.pdf, 2003.Google Scholar
- AMD64 Architecture Programmer's Manual, Volume 2: System Programming, 2007.Google Scholar
- TEMU: The BitBlaze Dynamic Analysis Component. http://bitblaze.cs.berkeley.edu/temu.html, 2007.Google Scholar
- P. Bacher, T. Holz, M. Kotter, and G. Wicherski. Know your enemy: Tracking botnets. http://www.honeynet.org/papers/bots, 2005.Google Scholar
- M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario. Automated Classification and Analysis of Internet Malware. In RAID, 2007. Google ScholarDigital Library
- P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In SOSP, pages 164--177, 2003. Google ScholarDigital Library
- U. Bayer, C. Kruegel, and E. Kirda. TTanalyze: A Tool for Analyzing Malware. In EICAR, pages 180--192, 2006.Google Scholar
- F. Bellard. QEMU, a Fast and Portable Dynamic Translator. In ATEC, pages 41--41, 2005. Google ScholarDigital Library
- M. Bishop. Computer Security: Art and Science. Addison-Wesley Professional, 2003.Google Scholar
- K. Borders, X. Zhao, and A. Prakash. Siren: Catching Evasive Malware (Short Paper). In S&P (Oakland), pages 78--85, 2006. Google ScholarDigital Library
- J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis. In CCS, 2007. Google ScholarDigital Library
- M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-Aware Malware Detection. In S&P (Oakland), pages 32--46, 2005. Google ScholarDigital Library
- M. Christodorescu, C. Kruegel, and S. Jha. Mining Specifications of Malicious Behavior. In ESEC/FSE, pages 5--14, 2007. Google ScholarDigital Library
- P. Ferrie. Attacks on Virtual Machine Emulators. Symantec Advanced Threat Research, 2006.Google Scholar
- P. Ferrie. Attacks on More Virtual Machines. http://pferrie.tripod.com/papers/attacks2.pdf, 2007.Google Scholar
- T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS, 2003.Google Scholar
- G. Hunt and D. Brubacher. Detours: Binary Interception of Win32 Functions. In WINSYM, pages 135--143, 1999. Google ScholarDigital Library
- X. Jiang, X. Wang, and D. Xu. Stealthy Malware Detection Through VMM-Based "Out-of-the-Box" Semantic View Reconstruction. In CCS, pages 128--138, 2007. Google ScholarDigital Library
- X. Jiang, D. Xu, H. J. Wang, and E. H. Spafford. Virtual Playgrounds for Worm Behavior Investigation. In RAID, pages 1--21, 2005. Google ScholarDigital Library
- M.G. Kang, P. Poosankam, and H. Yin. Renovo: A Hidden Code Extractor for Packed Executables. In WORM, 2007. Google ScholarDigital Library
- C. Kruegel, W. Robertson, and G. Vigna. Detecting Kernel-Level Rootkits Through Binary Analysis. In ACSAC, pages 91--100, 2004. Google ScholarDigital Library
- L. Martignoni, M. Christodorescu, and S. Jha. OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In ACSAC, pages 431--441, 2007.Google ScholarCross Ref
- F. Perigaud. New Pill? http://cert.lexsi.com/weblog/index.php/2008/03/21/223-new-pill, 2008.Google Scholar
- N. Provos and T. Holz. Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley Professional, Reading, 2007. Google ScholarDigital Library
- T. Ptacek. Side-Channel Detection Attacks Against Unauthorized Hypervisors. http://www.matasano.com/log/930/side-channel-detection-attacks-against-unauthorized-hypervisors/, 2007.Google Scholar
- D. Quist and Valsmith. Covert Debugging: Circumventing Software Armoring. In Black Hat USA, 2007.Google Scholar
- T. Raffetseder, C. Kruegel, and E. Kirda. Detecting System Emulators. In ISC, pages 1--18, 2007. Google ScholarDigital Library
- P. Royal, M. Halpin, D. Dagon, R. Edmonds, and W. Lee. PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In ACSAC, pages 289--300, 2006. Google ScholarDigital Library
- M. Sipser. Introduction to the Theory of Computation. International Thomson Publishing, 1996. Google ScholarDigital Library
- P. Szor. The Art of Computer Virus Research and Defense. Addison-Wesley Professional, 2005. Google ScholarDigital Library
- A. Vasudevan and R. Yerraballi. Stealth Breakpoints. In ACSAC, pages 381--392, 2005. Google ScholarDigital Library
- A. Vasudevan and R. Yerraballi. Cobra: Fine-grained Malware Analysis using Stealth Localized-executions. In S&P (Oakland), pages 264--279, 2006. Google ScholarDigital Library
- C. Wang and S. Ju. The Dilemma of Covert Channels Searching. In ICISC, pages 169--174, 2005. Google ScholarDigital Library
- Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. T. King. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In NDSS, 2006.Google Scholar
- C. Willems, T. Holz, and F. Freiling. Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security and Privacy, 5(2), 2007. Google ScholarDigital Library
- H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow for malware detection and analysis. In CCS, 2007. Google ScholarDigital Library
Index Terms
- Ether: malware analysis via hardware virtualization extensions
Recommendations
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends SymposiumAutomated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Emulating emulation-resistant malware
VMSec '09: Proceedings of the 1st ACM workshop on Virtual machine securityThe authors of malware attempt to frustrate reverse engineering and analysis by creating programs that crash or otherwise behave differently when executed on an emulated platform than when executed on real hardware. In order to defeat such techniques ...
Assessment of Virtualization as a Sensor Technique
SADFE '10: Proceedings of the 2010 Fifth IEEE International Workshop on Systematic Approaches to Digital Forensic EngineeringThe explosive growth of malware development and the increasing sophistication of malware behavior require thatsecurity researchers be on the lookout for new vectors of attacks. Drive-by-downloads are among the types of attacks that are onthe rise. To ...
Comments