Ether: malware analysis via hardware virtualization extensions

Abstract

Malware has become the centerpiece of most security threats on the Internet. Malware analysis is an essential technology that extracts the runtime behavior of malware, and supplies signatures to detection systems and provides evidence for recovery and cleanup. The focal point in the malware analysis battle is how to detect versus how to hide a malware analyzer from malware during runtime. State-of-the-art analyzers reside in or emulate part of the guest operating system and its underlying hardware, making them easy to detect and evade. In this paper, we propose a transparent and external approach to malware analysis, which is motivated by the intuition that for a malware analyzer to be transparent, it must not induce any side-effects that are unconditionally detectable by malware. Our analyzer, Ether, is based on a novel application of hardware virtualization extensions such as Intel VT, and resides completely outside of the target OS environment. Thus, there are no in-guest software components vulnerable to detection, and there are no shortcomings that arise from incomplete or inaccurate system emulation. Our experiments are based on our study of obfuscation techniques used to create 25,000 recent malware samples. The results show that Ether remains transparent and defeats the obfuscation tools that evade existing approaches.

DOI: 10.1145/1455770.1455779

Extracted Key Phrases

6 Figures and Tables

02040602008200920102011201220132014201520162017
Citations per Year

452 Citations

Semantic Scholar estimates that this publication has 452 citations based on the available data.

See our FAQ for additional information.

Cite this paper

@inproceedings{Dinaburg2008EtherMA, title={Ether: malware analysis via hardware virtualization extensions}, author={Artem Dinaburg and Paul Royal and Monirul I. Sharif and Wenke Lee}, booktitle={ACM Conference on Computer and Communications Security}, year={2008} }