Skip to main content
SpringerLink
Log in

How Does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11543))

Abstract

Many malware programs execute operations for analysis evasion. They include sandbox detection through measurement of execution time or executed CPU cycles with a method that exploits the RDTSC instruction. Although the detection technique is widely known and well-studied, the actual usage of the RDTSC instruction by real malware has not yet been sufficiently clarified. In this paper, we present analysis results for RDTSC usage collected from more than 200,000 malware files. In this analysis, malware programs are searched for closely placed pairs of RDTSCs; then, code fragments surrounding these pairs are extracted. A system developed by the authors classifies the extracted code fragments into distinct groups based on their characteristics, according to a set of rules that matches the fragments with instruction patterns. The results indicate that malware programs measure the number of CPU cycles of diverse operations and can also execute the RDTSC instruction for other purposes, such as obfuscation and acquisition of random values.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/Yara-Rules/rules/blob/master/Antidebug_AntiVM/antidebug_antivm.yar.

  2. 2.

    https://github.com/DidierStevens/DidierStevensSuite/blob/master/pecheck.py.

  3. 3.

    https://github.com/openssl/openssl/blob/master/crypto/rand/rand_lib.c.

References

  1. Al-Khaser. https://github.com/LordNoteworthy/al-khaser/

  2. Andriesse, D., Chen, X., van der Veen, V., Slowinska, A., Bos, H.: An in-depth analysis of disassembly on full-scale x86/x64 binaries. In: Proceedings of the 25th USENIX Security Symposium, pp. 583–600 (2016)

    Google Scholar 

  3. Branco, R.R., Barbosa, G.N., Neto, P.D.: Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-VM technologies. Black Hat USA 2012 (2012)

    Google Scholar 

  4. Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 207–227. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_11

    Chapter  Google Scholar 

  5. Cheng, B., et al.: Towards paving the way for large-scale Windows malware analysis: generic binary unpacking with orders-of-magnitude performance boost. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 395–411 (2018)

    Google Scholar 

  6. Forcepoint Security Labs Blog: Locky returned with a new anti-VM trick (2016). https://www.forcepoint.com/blog/security-labs/locky-returned-new-anti-vm-trick

  7. Franklin, J., Luk, M., McCune, J.M., Seshadri, A., Perrig, A., Doorn, L.: Towards sound detection of virtual machines. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection. ADIS, vol. 36, pp. 89–116. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-68768-1_5

    Chapter  Google Scholar 

  8. Kawakoya, Y., Iwamura, M., Itoh, M.: Memory behavior-based automatic malware unpacking in stealth debugging environment. In: Proceedings of the 5th IEEE International Conference on Malicious and Unwanted Software, pp. 39–46 (2010)

    Google Scholar 

  9. Kocher, P., et al.: Spectre attacks: exploiting speculative execution. In: Proceedings of the 40th IEEE Symposium on Security and Privacy (2019)

    Google Scholar 

  10. Lastline Labs: Not so fast my friend - using inverted timing attacks to bypass dynamic analysis (2014). https://www.lastline.com/labsblog/not-so-fast-my-friend-using-inverted-timing-attacks-to-bypass-dynamic-analysis/

  11. Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_18

    Chapter  Google Scholar 

  12. Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: Proceedings of the 27th USENIX Security Symposium (2018)

    Google Scholar 

  13. Martin, R., Demme, J., Sethumadhavan, S.: TimeWarp: rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. In: Proceedings of the 39th Annual International Symposium on Computer Architecture, pp. 118–129 (2012)

    Google Scholar 

  14. Ning, Z., Zhang, F.: Ninja: towards transparent tracing and debugging on ARM. In: Proceedings of the 26th USENIX Security Symposium, pp. 33–49 (2017)

    Google Scholar 

  15. Oyama, Y.: Trends of anti-analysis operations of malwares observed in API call logs. J. Comput. Virol. Hacking Tech. 14, 69–85 (2017)

    Article  Google Scholar 

  16. Pafish (Paranoid Fish). https://github.com/a0rtega/pafish/

  17. Pék, G., Bencsáth, B., Buttyán, L.: nEther: in-guest detection of out-of-the-guest malware analyzers. In: Proceedings of the 4th European Workshop on System Security (2011)

    Google Scholar 

  18. Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 1–18. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75496-1_1

    Chapter  Google Scholar 

  19. Rutkowska, J., Tereshkin, A.: IsGameOver() anyone? Black Hat USA (2007)

    Google Scholar 

  20. Saudel, F., Salwan, J.: Triton: a dynamic symbolic execution framework. In: Symposium sur la sécurité des technologies de l’information et des communications, pp. 31–54 (2015)

    Google Scholar 

  21. Shi, H., Mirkovic, J., Alwabel, A.: Handling anti-virtual machine techniques in malicious software. ACM Trans. Priv. Secur. 21(1), 2 (2017)

    Article  Google Scholar 

  22. Shoshitaishvili, Y., et al.: (State of) the art of war: offensive techniques in binary analysis. In: Proceedings of the 2016 IEEE Symposium on Security and Privacy, pp. 138–157 (2016)

    Google Scholar 

  23. Stephens, J., Yadegari, B., Collberg, C., Debray, S., Scheidegger, C.: Probabilistic obfuscation through covert channels. In: Proceedings of the 3rd IEEE European Symposium on Security and Privacy, pp. 243–257 (2018)

    Google Scholar 

  24. Vasudevan, A., Yerraballi, R.: Stealth breakpoints. In: Proceedings of the 21st Annual Computer Security Applications Conference (2005)

    Google Scholar 

  25. Vasudevan, A., Yerraballi, R.: Cobra: fine-grained malware analysis using stealth localized-executions. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (2006)

    Google Scholar 

Download references

Acknowledgments

We would like to thank the anonymous reviewers and our shepherd, Zhiqiang Lin, for their valuable comments and suggestions. We also thank Hirotaka Kokubo for the helpful discussions and warm encouragement. We also appreciate the feedback provided by Yuji Kubo and Yuki Koike. This work was supported by JSPS KAKENHI under Grant Number 17K00179.

Author information

Authors and Affiliations

  1. University of Tsukuba, Tsukuba, Japan

    Yoshihiro Oyama

Authors
  1. Yoshihiro Oyama
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yoshihiro Oyama .

Editor information

Editors and Affiliations

  1. University of Georgia, Athens, GA, USA

    Roberto Perdisci

  2. University of Rennes, CNRS, IRISA, Rennes, France

    Clémentine Maurice

  3. University of Cagliari, Cagliari, Italy

    Giorgio Giacinto

  4. Chalmers University of Technology, Gothenburg, Sweden

    Magnus Almgren

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Oyama, Y. (2019). How Does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-22038-9_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-22037-2

  • Online ISBN: 978-3-030-22038-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation