Ether: malware analysis via hardware virtualization extensions

  title={Ether: malware analysis via hardware virtualization extensions},
  author={Artem Dinaburg and Paul Royal and Monirul I. Sharif and Wenke Lee},
  booktitle={Conference on Computer and Communications Security},
Malware has become the centerpiece of most security threats on the Internet. Malware analysis is an essential technology that extracts the runtime behavior of malware, and supplies signatures to detection systems and provides evidence for recovery and cleanup. The focal point in the malware analysis battle is how to detect versus how to hide a malware analyzer from malware during runtime. State-of-the-art analyzers reside in or emulate part of the guest operating system and its underlying… 

Figures and Tables from this paper

BareBox: efficient malware analysis on bare-metal

This paper presents the design, implementation, and evaluation of a malware analysis framework for bare-metal systems that is based on a fast and rebootless system restore technique, which was able to perform a rebootless restore of a live Windows system within four seconds.

Detecting Hardware-Assisted Virtualization

This work proposes and evaluates low-level timing-based mechanisms to detect hardware-virtualized systems and demonstrates how an adversary may even use these detections to evade multi-path exploration systems that aim to explore the full behavior of a program.

MAVMM: Lightweight and Purpose Built VMM for Malware Analysis

This paper proposes a lightweight VMM (namely MAVMM) that is designed specially for a single job: malware analysis, and shows that the system can extract useful information from malicious software, and that it is not susceptible to known virtualization detection techniques.

Hubble: Transparent and Extensible Malware Analysis by Combining Hardware Virtualization and Software Emulation

The experiment on the 14 real world emulation-resistant malware samples has demonstrated that the prototype is able to defeat emulationresistant malware and conduct in-depth analysis with acceptable performance overhead.

nEther: in-guest detection of out-of-the-guest malware analyzers

Novel approaches are introduced that make the detection of hardware assisted virtualization platforms and out-of-the-guest malware analysis frameworks possible and an application framework called nEther is implemented that is capable of detecting the out- of- the-guests malware analysis framework Ether.

Using Hardware Features for Increased Debugging Transparency

MALT, a debugging framework that employs System Management Mode, a CPU mode in the x86 architecture, to transparently study armored malware, which reduces the attack surface at the software level, and advances state-of-the-art debugging transparency.

Malware Collection and Analysis via Hardware Virtualization

A systematic evaluation of hardware virtualization as an underlying technology to construct effective malware collection and analysis systems is presented via the combination of four distinct objectives such systems need to fulfill: scalability, stealth, fidelity and isolation.

On the Effectiveness of Binary Emulation in Malware Classification

The main objective of this work is to complement sandbox execution with the use of binary emulation frameworks, and compares the binary analysis results with a commercial sandbox, and the classi-cation outperforms it at the expense of the fine-grained results that a sandbox provides.

Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system

DRAKVUF is presented, a novel dynamic malware analysis system designed to address these challenges by building on the latest hardware virtualization extensions and the Xen hypervisor and providing a stealthy, in-depth view into the behavior of modern malware.



Detecting System Emulators

A number of possibilities to detect system emulators are analyzed and it is shown that emulation can be successfully detected, mainly because the task of perfectly emulating real hardware is complex.

Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction

VMwatcher is presented - an "out-of-the-box" approach that overcomes the semantic gap challenge and identifies two unique malware detection capabilities: view comparison-based malware detection and its demonstration in rootkit detection and "out of the box" deployment of host-based anti-malware software with improved detection accuracy and tamper-resistance.

TTAnalyze: A Tool for Analyzing Malware

TTAnalyze is presented, a tool for dynamically analyzing the behavior of Windows executables, which runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy and makes it more difficult to detect by malicious code.

Automated Classification and Analysis of Internet Malware

This paper examines the ability of existing host-based anti-virus products to provide semantically meaningful information about the malicious software and tools used by attackers and proposes a new classification technique that describes malware behavior in terms of system state changes rather than in sequences or patterns of system calls.

OmniUnpack: Fast, Generic, and Safe Unpacking of Malware

OmniUnpack aids malware detection by directly providing to the detector the unpacked malicious payload and introduces a low overhead (at most 11% for packed benign programs).

PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware

The results from the experiments show the approach can be used to significantly reduce the time required to analyze such malware, and to improve the performance of malware detection tools.

Stealth breakpoints

This paper presents the concept of stealth breakpoints and discusses the design and implementation of VAMPiRE, a realization of this concept, which cannot be detected or countered and provides unlimited number of breakpoints to be set on code, data, and I/O with the same precision as that of hardware breakpoints.

Cobra: fine-grained malware analysis using stealth localized-executions

A powerful dynamic fine-grained malicious code analysis framework, codenamed Cobra, to combat malware that are becoming increasingly hard to analyze and provide a stealth, efficient, portable and easy-to-use framework supporting multithreading, self-modifying/self-checking code and any form of code obfuscation in both user- and kernel-mode on commodity operating systems.

Renovo: a hidden code extractor for packed executables

This paper proposes a fully dynamic approach that captures an intrinsic nature of hidden code execution that the original code should be present in memory and executed at some point at run-time.

Panorama: capturing system-wide information flow for malware detection and analysis

This work proposes a system, Panorama, to detect and analyze malware by capturing malicious information access and processing behavior, which separates these malicious applications from benign software.