Skip to main content
SpringerLink
Log in

Measuring virtual machine detection in malware using DSD tracer

  • Eicar 2008 extended version
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Most methods for detecting that a process is running inside a virtual environment such as VMWare or Microsoft Virtual PC are well known and the paper briefly discusses the most common methods measured during the research. The measurements are conducted over a representative set of malicious files, with special regards to packer code. The results are broken down with respect to malware category, families and various commercial and non-commercial packers and presented in a graphical and tabular format. The extent of virtual machine detection problem is estimated based on the results of the research. The main subject of the paper is measurement of actual usage of Virtual machine detection methods in current malware. The research uses DSD Tracer, a dynamic-static tracing system based on an instrumented Bochs virtual machine. The system employs tracing to produce traces of execution that can be scripted or used as a basis for disassembly/emulation in IDA Pro when combined with a customised version of IDAEmul (emulator). The paper gives an overview of design and usage of DSD Tracer.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Lau, B.: DSD-Tracer: experimentation and implementation. In: Virus Bulletin 2007 Conference proceedings (2007)

  2. Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis (2006)

  3. Bayer, U.: TTAnalyze: a tool for analyzing Malware. Master’s Thesis, Technical University of Vienna (2005)

  4. Vasudevan, A., Yerraballi, R.: Cobra: fine-grained Malware analysis using stealth localized-executions. In: IEEE and Signature Generation of Exploits on Commodity Software (2006)

  5. Willems, A., Holz, C., Freiling, T., Felix A.: Toward Automated Dynamic Malware Analysis Using CWSandbox. http://www.cwsandbox.org/ (2007)

  6. Simplified Wrapper and Interface Generator. http://www.swig.org/ (2000)

  7. Natvig, K.: Norman sandbox white paper. http://download.norman.no/whitepapers/whitepaper_Norman_SandBox.pdf (2003)

  8. Vidstrom, A.: Evading the Norman SandBox Analyzer. BugTraq bulletin (2007)

  9. Eagle, C.: Attacking Packed Code with IDA Pro. http://ida-x86emu.sourceforge.net, Black-hat Asia (2006)

  10. Bellard, F.: QEMU Emulator User Documentation # GDB usage. http://fabrice.bellard.free.fr/qemu/qemu-doc.html#SEC46 (2005)

  11. Ormandy, T.: An empirical study into the security exposure to hosts of hostile virtualized environments, CanSecWest (2007)

  12. Ferrie, P.: Attacks on virtual machine emulators (2007)

  13. Xu M., et al.: ReTrace: Collecting execution trace with virtual machine deterministic replay (2007)

  14. Herrod, S.: The amazing VM record/replay feature in VMware Workstation 6. http://blogs.vmware.com/sherrod/2007/04/the_amazing_vm_.html (2007)

  15. Technology, O.: Themida overview. http://www.oreans.com/themida.php (2007)

  16. Malyugin, V.: Application debugging with Record/Replay. http://stackframe.blogspot.com/2007/09/application-debugging-with-recordreplay.html (2007)

  17. Malyugin, V.: VMware forum thread. http://communities.vmware.com/thread/104296 (2007)

  18. Callanan, S.: Terminate-on-error patch for GDBcli. http://sourceware.org/ml/gdb-patches/2005-08/msg00120.html (2005)

  19. Schneider, O.: Redpill getting colorless? http://blog.assarbad.net/wp-content/uploads/2007/04/redpill_getting_colorless.pdf (2007)

  20. Rutkowska, J.: Red Pill. http://invisiblethings.org/papers/redpill.html (2004)

  21. Klein, T.: Jerry. http://www.trapkit.de/research/vmm/jerry/index.html (2005)

  22. Klein, T.: Scoopy Doo. http://www.trapkit.de/research/vmm/scoopydoo/index.html (2005)

  23. Kato, K.: VMWare Back. http://chitchat.at.infoseek.co.jp/vmware/backdoor.html (2003)

  24. Liston, T., Skoudis, E.: On the cutting edge: thwarting virtual machine detection. http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf (2006)

  25. O’Dea, H.: Trapping worms in a virtual net. In: Virus Bulletin 2004 Conference Proceedings (2004)

  26. Intel.: Intel architecture software developer’s manual, vol 2: instruction set reference manual. http://developer.intel.com/design/pentiumii/manuals/243191.htm (2003)

  27. Quist, D.: Vmdetect. http://www.offensivecomputing.net/dc14/vmdetect.cpp (2006)

Download references

Author information

Authors and Affiliations

  1. Sophoslabs, Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK

    Boris Lau & Vanja Svajcer

Authors
  1. Boris Lau
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vanja Svajcer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Boris Lau.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lau, B., Svajcer, V. Measuring virtual machine detection in malware using DSD tracer. J Comput Virol 6, 181–195 (2010). https://doi.org/10.1007/s11416-008-0096-y

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-008-0096-y

Keywords

Search

Navigation