Abstract
Many malware programs execute operations for analysis evasion. They include sandbox detection through measurement of execution time or executed CPU cycles with a method that exploits the RDTSC instruction. Although the detection technique is widely known and well-studied, the actual usage of the RDTSC instruction by real malware has not yet been sufficiently clarified. In this paper, we present analysis results for RDTSC usage collected from more than 200,000 malware files. In this analysis, malware programs are searched for closely placed pairs of RDTSCs; then, code fragments surrounding these pairs are extracted. A system developed by the authors classifies the extracted code fragments into distinct groups based on their characteristics, according to a set of rules that matches the fragments with instruction patterns. The results indicate that malware programs measure the number of CPU cycles of diverse operations and can also execute the RDTSC instruction for other purposes, such as obfuscation and acquisition of random values.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Al-Khaser. https://github.com/LordNoteworthy/al-khaser/
Andriesse, D., Chen, X., van der Veen, V., Slowinska, A., Bos, H.: An in-depth analysis of disassembly on full-scale x86/x64 binaries. In: Proceedings of the 25th USENIX Security Symposium, pp. 583–600 (2016)
Branco, R.R., Barbosa, G.N., Neto, P.D.: Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-VM technologies. Black Hat USA 2012 (2012)
Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Caballero, J., Zurutuza, U., RodrÃguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 207–227. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_11
Cheng, B., et al.: Towards paving the way for large-scale Windows malware analysis: generic binary unpacking with orders-of-magnitude performance boost. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 395–411 (2018)
Forcepoint Security Labs Blog: Locky returned with a new anti-VM trick (2016). https://www.forcepoint.com/blog/security-labs/locky-returned-new-anti-vm-trick
Franklin, J., Luk, M., McCune, J.M., Seshadri, A., Perrig, A., Doorn, L.: Towards sound detection of virtual machines. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection. ADIS, vol. 36, pp. 89–116. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-68768-1_5
Kawakoya, Y., Iwamura, M., Itoh, M.: Memory behavior-based automatic malware unpacking in stealth debugging environment. In: Proceedings of the 5th IEEE International Conference on Malicious and Unwanted Software, pp. 39–46 (2010)
Kocher, P., et al.: Spectre attacks: exploiting speculative execution. In: Proceedings of the 40th IEEE Symposium on Security and Privacy (2019)
Lastline Labs: Not so fast my friend - using inverted timing attacks to bypass dynamic analysis (2014). https://www.lastline.com/labsblog/not-so-fast-my-friend-using-inverted-timing-attacks-to-bypass-dynamic-analysis/
Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_18
Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: Proceedings of the 27th USENIX Security Symposium (2018)
Martin, R., Demme, J., Sethumadhavan, S.: TimeWarp: rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. In: Proceedings of the 39th Annual International Symposium on Computer Architecture, pp. 118–129 (2012)
Ning, Z., Zhang, F.: Ninja: towards transparent tracing and debugging on ARM. In: Proceedings of the 26th USENIX Security Symposium, pp. 33–49 (2017)
Oyama, Y.: Trends of anti-analysis operations of malwares observed in API call logs. J. Comput. Virol. Hacking Tech. 14, 69–85 (2017)
Pafish (Paranoid Fish). https://github.com/a0rtega/pafish/
Pék, G., Bencsáth, B., Buttyán, L.: nEther: in-guest detection of out-of-the-guest malware analyzers. In: Proceedings of the 4th European Workshop on System Security (2011)
Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 1–18. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75496-1_1
Rutkowska, J., Tereshkin, A.: IsGameOver() anyone? Black Hat USA (2007)
Saudel, F., Salwan, J.: Triton: a dynamic symbolic execution framework. In: Symposium sur la sécurité des technologies de l’information et des communications, pp. 31–54 (2015)
Shi, H., Mirkovic, J., Alwabel, A.: Handling anti-virtual machine techniques in malicious software. ACM Trans. Priv. Secur. 21(1), 2 (2017)
Shoshitaishvili, Y., et al.: (State of) the art of war: offensive techniques in binary analysis. In: Proceedings of the 2016 IEEE Symposium on Security and Privacy, pp. 138–157 (2016)
Stephens, J., Yadegari, B., Collberg, C., Debray, S., Scheidegger, C.: Probabilistic obfuscation through covert channels. In: Proceedings of the 3rd IEEE European Symposium on Security and Privacy, pp. 243–257 (2018)
Vasudevan, A., Yerraballi, R.: Stealth breakpoints. In: Proceedings of the 21st Annual Computer Security Applications Conference (2005)
Vasudevan, A., Yerraballi, R.: Cobra: fine-grained malware analysis using stealth localized-executions. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (2006)
Acknowledgments
We would like to thank the anonymous reviewers and our shepherd, Zhiqiang Lin, for their valuable comments and suggestions. We also thank Hirotaka Kokubo for the helpful discussions and warm encouragement. We also appreciate the feedback provided by Yuji Kubo and Yuki Koike. This work was supported by JSPS KAKENHI under Grant Number 17K00179.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Oyama, Y. (2019). How Does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-22038-9_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-22037-2
Online ISBN: 978-3-030-22038-9
eBook Packages: Computer ScienceComputer Science (R0)