Abstract
Most malwares use evasion technologies to prevent themselves from being analyzed by sandbox systems. For example, they would hide their maliciousness if the presence of Virtual Machine (VM) is detected. A popular idea of detecting VM is to utilize the difference in instruction semantics between virtual environment and physical environment. Semantic detection has been widely studied, but existing works either have limited detection range (e.g. detect VMs on specific hypervisor) or cost too much time. And most methods are not available for various kinds of VMs while introducing acceptable performance overhead.
In this paper, we proposed FindPiDicators, a new approach to select a few indicators (e.g. registers) and cases (instruction execution) through complete experiments and statistical analysis. Using FindPiDicators, we obtain PiDicators, a lightweight artifact that consists of some test cases and indicators. We use PiDicators to detect the presence of VM and it offers several benefits. 1) It could accurately detect VM without the influence of operating system, hardware environment and hypervisor. 2) PiDicators does not rely on API calls, thus it is transparent and hard to resist. 3) The detection based on PiDicators is time-efficient, for only 31 cases are considered and four registers’ values are required for each case.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Afianian, A., Niksefat, S., Sadeghiyan, B.: Malware dynamic analysis evasion techniques: a survey. ACM Comput. Surv. 52(6), 126 (2019)
Bulazel, A., Yener, B.: A survey on automated dynamic malware analysis evasion and counter-evasion: PC, mobile, and web. In: Reversing and Offensive Oriented Trends Symposium, vol. 2 (2017)
Branco, R.R., Barbosa, G.N., Neto, P.D.: Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-VM technologies. In: Black Hat USA 2012 (2012)
Evolution of malware sandbox evasion tactics - a retrospective study. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/. Accessed 7 Mar 2020
Anti-VM and Anti-Sandbox Explained. https://www.cyberbit.com/blog/endpoint-security/anti-vm-and-anti-sandbox-explained/. Accessed 7 Mar 2020
Top Malwares that can do VM detection. https://hackernewsdog.com/vm-bypassing-escaping-infect-host-machine/. Accessed 20 Feb 2020
How malware detects virtualized environment (and its Countermeasures). https://resources.infosecinstitute.com/how-malware-detects-virtualized-environment-and-its-countermeasures-an-overview/. Accessed 7 Mar 2020
VMware Backdoor I/O Port. https://sites.google.com/site/chitchatvmback/backdoor. Accessed 7 Mar 2020
How to tell if a system is a VM in VMWare? https://forum.bigfix.com/t/how-to-tell-if-a-system-is-a-vm-in-vmware/29060. Accessed 7 Mar 2020
rdtsc x86 instruction to detect virtual machines. https://blog.badtrace.com/post/rdtsc-x86-instruction-to-detect-vms/. Accessed 4 Mar 2020
Nguyen, A., Schear, N., Jung, H.D., Godiyal, A., King, S., Nguyen, H.: MAVMM: lightweight and purpose built VMM for malware analysis. In: Computer Security Applications Conference, Annual, pp. 441–450 (2009)
Oyama, Y.: How does malware use RDTSC? A study on operations executed by malware with CPU cycle measurement. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds.) DIMVA 2019. LNCS, vol. 11543, pp. 197–218. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_10
Sahin, O., Coskun, A.K., Egele, M.: Proteus: detecting android emulators from instruction-level profiles. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 3–24. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_1
Lok-Kwong, Y., Manjukumar, J., Mu, Z., Heng, Y.: V2E: combining hardware virtualization and software emulation for transparent and extensible malware analysis. In: Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution, pp. 227–238 (2012)
Shi, H., Alwabel, A., Mirkovic, J.: Cardinal pill testing of system virtual machines. In: USENIX Security Symposium, pp. 271–285 (2014)
Shi, H., Mirkovic, J., Alwabel, A.: Handling anti-virtual machine techniques in malicious software. ACM Trans. Priv. Secur. 21(1), 2 (2017)
Martignoni, L., Paleari, R., Roglia, G.F., Bruschi, D.: Testing CPU emulators. In: International Symposium on Software Testing and Analysis, pp. 261–272 (2009)
Setting up kernel-mode debugging. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-kernel-mode-debugging-in-windbg-cdb-or-ntsd. Accessed 26 Feb 2020
Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Caballero, J., Zurutuza, U., RodrĂguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 207–227. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_11
Blackthorne, J., Bulazel, A., Fasano, A., Biernat, P., Yener, B.: AVLeak: fingerprinting antivirus emulators through black-box testing. In: Proceedings of the 10th USENIX Workshop on Offensive Technologies (2016)
Miramirkhani, N., Appini, M.P., Nikiforakis, N., Polychronakis, M.: Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: IEEE Symposium on Security and Privacy, pp. 1009–1024 (2017)
Acknowledgements
This research is partially supported by program of Key Laboratory of Network Assessment Technology, the Chinese Academy of Sciences and program of Beijing Key Laboratory of Network Security and Protection Technology. This paper is also supported by Strategic Priority Research Program of Chinese Academy of Sciences under Grant No. XDC02010900, National Key Research and Development Program of China under Grant No. 2016QY04W0903, Beijing Municipal Science & Technology Commission under Grant Z191100007119010 and National Natural Science Foundation of China under Grant NO. 61772078.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Huang, Q., Li, H., He, Y., Tai, J., Jia, X. (2020). PiDicators: An Efficient Artifact to Detect Various VMs. In: Meng, W., Gollmann, D., Jensen, C.D., Zhou, J. (eds) Information and Communications Security. ICICS 2020. Lecture Notes in Computer Science(), vol 12282. Springer, Cham. https://doi.org/10.1007/978-3-030-61078-4_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-61078-4_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-61077-7
Online ISBN: 978-3-030-61078-4
eBook Packages: Computer ScienceComputer Science (R0)