skip to main content
10.1145/2388576.2388578acmconferencesArticle/Chapter ViewAbstractPublication PagessinConference Proceedingsconference-collections
research-article

Split personality malware detection and defeating in popular virtual machines

Published: 25 October 2012 Publication History

Abstract

Virtual Machines have gained immense popularity amongst the Security Researchers and Malware Analysts due to their pertinent design to analyze malware without risking permanent infection to the actual system carrying out the tests. This is because during analysis, even if a malware infects and destabilizes the guest OS, the analyst can simply load in a fresh image thus avoiding any damage to the actual machine. However, the cat and mouse game between the Black Hat and the White Hat Hackers is a well established fact. Hence, the malware writers have once again raised their stakes by creating a new kind of malware which can detect the presence of virtual machines. Once it detects that it is running on a virtual machine, it either terminates execution immediately or simply hides its malicious intent and continues to execute in a benign manner thus evading its own detection. This category of malware has been termed as 'Split Personality' malware or 'Analysis Aware' malware in the Information Security jargon. This paper aims at defeating the split personality malware in popular virtual machine environment. This work includes first the study of various virtual machine detection techniques and then development of a method to thwart these techniques from successfully detecting the virtual machines-VirtualBox, VirtualPC and VMware.

References

[1]
K. Vishnani, A. R. Pais, R. Mohandas National Institute Of Technology Karnataka, India,. 2011 Detecting & Defeating Split Personality Malware. SECURWARE 2011: The Fifth International Conference On Emerging Security Information, Systems And Technologies.
[2]
Gartner research, ID Number G00170437. 2012 {Online}.
[3]
W. Guizani, J. Y. Marion, and R. Plantey 2009. Server-Side Dynamic Code Analysis. Analysis,.
[4]
M. Carpenter, T. Liston, and Skoudis 2007. Hiding Virtualization from Attackers and Malware. IEEE Security and Privacy, June, pp. 62--65.
[5]
H D Huang, C. S. Lee, H. Y. Kao, Y. L. Tsai, J.-Gong Chang, 2011 Nat. Center for High- Performance Comput., Nat. Appl. Res. Labs., Tainan, Taiwan Intelligent Agent (IA), Malware behavioral analysis system: TWMAN, 2011 IEEE Symposium on 11--15 April 2011.
[6]
M. Egele Vienna University Of Technology, T. Scholte, SAP Research, S. Antipolis, E. Kirda, Institute Eurecom, Sophia Antipolis And C. Kruegel, University Of California, Santa Barbara, A Survey On Automated Dynamic Malware Analysis Techniques And Tools, ACM Computing Surveys.
[7]
C.K. Luk, R. Cohn, R.t Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. Janapa Reddi, K. Hazelwood. 2005. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation, Programming Language Design and Implementation (PLDI), Chicago, IL, June 2005, pp. 190--200.
[8]
VmDetect (2005), "Detect if your program is running inside a Virtual Machine - CodeProject" {Online}. Available: http://www.codeproject.com/KB/system/VmDetect.aspx
[9]
Virtual machine detection malwares {Online}

Cited By

View all
  • (2022)Change Point Detection with Machine Learning for Rapid Ransomware Detection2022 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/Cy55231.2022.9927828(1-9)Online publication date: 12-Sep-2022
  • (2022)A hierarchical layer of atomic behavior for malicious behaviors predictionJournal of Computer Virology and Hacking Techniques10.1007/s11416-022-00422-518:4(367-382)Online publication date: 7-Apr-2022
  • (2020)Optimal Feature Selection for Non-Network Malware Classification2020 International Conference on Inventive Computation Technologies (ICICT)10.1109/ICICT48043.2020.9112437(82-87)Online publication date: Feb-2020
  • Show More Cited By

Index Terms

  1. Split personality malware detection and defeating in popular virtual machines

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SIN '12: Proceedings of the Fifth International Conference on Security of Information and Networks
    October 2012
    226 pages
    ISBN:9781450316682
    DOI:10.1145/2388576
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 25 October 2012

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. VMDetectGuard
    2. VirtualBox
    3. VirtualPC
    4. analysis aware
    5. detection
    6. malware
    7. masking
    8. pin tool
    9. split personality

    Qualifiers

    • Research-article

    Conference

    SIN '12
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 102 of 289 submissions, 35%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)7
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 15 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2022)Change Point Detection with Machine Learning for Rapid Ransomware Detection2022 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/Cy55231.2022.9927828(1-9)Online publication date: 12-Sep-2022
    • (2022)A hierarchical layer of atomic behavior for malicious behaviors predictionJournal of Computer Virology and Hacking Techniques10.1007/s11416-022-00422-518:4(367-382)Online publication date: 7-Apr-2022
    • (2020)Optimal Feature Selection for Non-Network Malware Classification2020 International Conference on Inventive Computation Technologies (ICICT)10.1109/ICICT48043.2020.9112437(82-87)Online publication date: Feb-2020
    • (2019)Reducing the Attack Surface of Dynamic Binary Instrumentation FrameworksDevelopments and Advances in Defense and Security10.1007/978-981-13-9155-2_1(3-13)Online publication date: 14-Jun-2019
    • (2017)Empirical Study to Fingerprint Public Malware Analysis ServicesInternational Joint Conference SOCO’17-CISIS’17-ICEUTE’17 León, Spain, September 6–8, 2017, Proceeding10.1007/978-3-319-67180-2_57(589-599)Online publication date: 23-Aug-2017
    • (2013)Investigating DNS traffic anomalies for malicious activities2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W)10.1109/DSNW.2013.6615506(1-7)Online publication date: Jun-2013

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media