research-article

Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system

Authors:

Tamas K. Lengyel,

Bryan D. Payne,

George D. Webster,

Sebastian Vogl,

Aggelos KiayiasAuthors Info & Claims

ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference

Pages 386 - 395

https://doi.org/10.1145/2664243.2664252

Published: 08 December 2014 Publication History

Abstract

Malware is one of the biggest security threats on the Internet today and deploying effective defensive solutions requires the rapid analysis of a continuously increasing number of malware samples. With the proliferation of metamorphic malware the analysis is further complicated as the efficacy of signature-based static analysis systems is greatly reduced. While dynamic malware analysis is an effective alternative, the approach faces significant challenges as the ever increasing number of samples requiring analysis places a burden on hardware resources. At the same time modern malware can both detect the monitoring environment and hide in unmonitored corners of the system.

In this paper we present DRAKVUF, a novel dynamic malware analysis system designed to address these challenges by building on the latest hardware virtualization extensions and the Xen hypervisor. We present a technique for improving stealth by initiating the execution of malware samples without leaving any trace in the analysis machine. We also present novel techniques to eliminate blind-spots created by kernel-mode rootkits by extending the scope of monitoring to include kernel internal functions, and to monitor file-system accesses through the kernel's heap allocations. With extensive tests performed on recent malware samples we show that DRAKVUF achieves significant improvements in conserving hardware resources while providing a stealthy, in-depth view into the behavior of modern malware.

References

[1]

D. Balzarotti, M. Cova, C. Karlberger, E. Kirda, C. Kruegel, and G. Vigna. Efficient detection of split personalities in malware. In NDSS, 2010.

[2]

U. Bayer, E. Kirda, and C. Kruegel. Improving the efficiency of dynamic malware analysis. In Proceedings of the 2010 ACM Symposium on Applied Computing. ACM, 2010.

Digital Library

[3]

B. Bencsáth, G. Pék, L. Buttyán, and M. Félegyházi. Duqu: Analysis, detection, and lessons learned. In ACM European Workshop on System Security (EuroSec), volume 2012, 2012.

[4]

R. R. Branco, G. N. Barbosa, and P. D. Neto. Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies, 2012.

[5]

J. Bremer. Blackhat 2013 workshop: Cuckoo sandbox - open source automated malware analysis. http://cuckoosandbox.org/2013-07-27-blackhat-las-vegas-2013.html, 2013.

[6]

D. Bueno, K. J. Compton, K. A. Sakallah, and M. Bailey. Detecting traditional packers, decisively. In Research in Attacks, Intrusions, and Defenses. Springer, 2013.

Digital Library

[7]

M. Carbone, M. Conover, B. Montague, and W. Lee. Secure and robust monitoring of virtual machines through guest-assisted introspection. In Research in Attacks, Intrusions, and Defenses, volume 7462 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2012.

Digital Library

[8]

Z. Deng, X. Zhang, and D. Xu. Spider: Stealthy binary program instrumentation and debugging via hardware virtualization. In Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC '13, New York, NY, USA, 2013. ACM.

Digital Library

[9]

A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM conference on Computer and communications security. ACM, 2008.

Digital Library

[10]

B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel data structures. In Proceedings of the 16th ACM conference on Computer and communications security. ACM, 2009.

Digital Library

[11]

M. Egele, T. Scholte, E. Kirda, and C. Kruegel. A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys (CSUR), 44, 2012.

Digital Library

[12]

Z. Gu, Z. Deng, D. Xu, and X. Jiang. Process implanting: A new active introspection framework for virtualization. In Reliable Distributed Systems (SRDS), 2011 30th IEEE Symposium on. IEEE, 2011.

Digital Library

[13]

F. Guo, P. Ferrie, and T.-C. Chiueh. A study of the packer problem and its solutions. In Recent Advances in Intrusion Detection. Springer, 2008.

Digital Library

[14]

Z. Hanif, T. Calhoun, and J. Trost. Binarypig: Scalable static binary analysis over hadoop, 2013.

[15]

D. Harley. http://www.welivesecurity.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain/, February 3 2014.

[16]

X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM conference on Computer and communications security. ACM, 2007.

Digital Library

[17]

P. Kleissner. The art of bootkit development, 2011.

[18]

C. Kolbitsch, E. Kirda, and C. Kruegel. The power of procrastination: detection and mitigation of execution-stalling malicious code. In Proceedings of the 18th ACM conference on Computer and communications security. ACM, 2011.

Digital Library

[19]

H. A. Lagar-Cavilla, J. A. Whitney, A. M. Scannell, P. Patchin, S. M. Rumble, E. De Lara, M. Brudno, and M. Satyanarayanan. Snowflock: rapid virtual machine cloning for cloud computing. In Proceedings of the 4th ACM European conference on Computer systems. ACM, 2009.

Digital Library

[20]

J. Leitch. Process hollowing. http://www.autosectools.com/process-hollowing.pdf, November 4 2013.

[21]

T. K. Lengyel, J. Neumann, S. Maresca, and A. Kiayias. Towards hybrid honeynets via virtual machine introspection and cloning. In Network and System Security. Springer, 2013.

[22]

LibVMI. https://code.google.com/p/vmitools.

[23]

A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Security and Privacy, 2007. SP'07. IEEE Symposium on. IEEE, 2007.

Digital Library

[24]

A. Moser, C. Kruegel, and E. Kirda. Limits of static analysis for malware detection. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual. IEEE, 2007.

[25]

J. S. Okolica and G. L. Peterson. Extracting forensic artifacts from windows o/s memory. Technical report, DTIC Document, 2011.

[26]

B. D. Payne, M. de Carbone, and W. Lee. Secure and flexible monitoring of virtual machines. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual. IEEE, 2007.

[27]

G. Pék, B. Bencsáth, and L. Buttyán. nether: In-guest detection of out-of-the-guest malware analyzers. In Proceedings of the Fourth European Workshop on System Security. ACM, 2011.

Digital Library

[28]

Rekall. https://github.com/google/rekall.

[29]

J. Rhee, R. Riley, D. Xu, and X. Jiang. Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In Recent Advances in Intrusion Detection. Springer, 2010.

Digital Library

[30]

A. Roberts, R. McClatchey, S. Liaquat, N. Edwards, and M. Wray. Introducing pathogen: A real-time virtual machine introspection framework. Technical report, HP, 2013.

[31]

P. Royal, M. Halpin, D. Dagon, R. Edmonds, and W. Lee. Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In Computer Security Applications Conference, 2006. ACSAC'06. 22nd Annual. IEEE, 2006.

Digital Library

[32]

ShadowServer. The shadowserver foundation. https://shadowserver.org, February 4 2014.

[33]

VirusTotal. Free online virus, malware and url scanner. http://virustotal.com, February 4 2014.

[34]

S. Vogl, F. Kilic, C. Schneider, and C. Eckert. X-tier: Kernel module injection. In Network and System Security. Springer, 2013.

[35]

Volatility. https://github.com/volatilityfoundation/volatility.

[36]

M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, fidelity, and containment in the potemkin virtual honeyfarm. In ACM SIGOPS Operating Systems Review, volume 39. ACM, 2005.

Digital Library

[37]

C. Willems, T. Holz, and F. Freiling. Toward automated dynamic malware analysis using cwsandbox. Security & Privacy, IEEE, 5(2), 2007.

Digital Library

[38]

C. Willems, R. Hund, and T. Holz. Cxpinspector: Hypervisor-based, hardware-assisted system monitoring. Technical report, Ruhr-Universitat Bochum, 2013.

[39]

J. Wyke. The zeroaccess rootkit. http://sophosnews.files.wordpress.com/2012/04/zeroaccess2.pdf, 2012.

Cited By

Beierlieb LSchmitz ASpringer RDietrich CIffländer L(2025)Benchmarking Hyper-Breakpoints for Efficient Virtual Machine IntrospectionElectronics10.3390/electronics1403053414:3(534)Online publication date: 28-Jan-2025
https://doi.org/10.3390/electronics14030534
Fujii STsuzuki YOkamoto TTamura YSato T(2025)STARMAP: Multi-machine Malware Analysis System for Lateral Movement ObservationScience of Cyber Security10.1007/978-981-96-2417-1_3(37-55)Online publication date: 4-Mar-2025
https://doi.org/10.1007/978-981-96-2417-1_3
Wong MLanden MLi FMonrose FAhamad MKelley PKapadia A(2024)Comparing malware evasion theory with practiceProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696903(61-80)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696903
Show More Cited By

Index Terms

Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Malware Dynamic Analysis Evasion Techniques: A Survey

The cyber world is plagued with ever-evolving malware that readily infiltrate all defense mechanisms, operate viciously unbeknownst to the user, and surreptitiously exfiltrate sensitive data. Understanding the inner workings of such malware provides a ...
Malware Analysis: Tools and Techniques
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies

Malicious code is a serious issue which regularly threatens the security of computer systems and act as a challenging task for cyber security& Information security personals. Malicious code is named differently according to their specification such as ...
Architecture for Resource-Aware VMI-based Cloud Malware Analysis
SHCIS '17: Proceedings of the 4th Workshop on Security in Highly Connected IT Systems

Virtual machine introspection (VMI) is a technology with many possible applications, such as malware analysis and intrusion detection. However, this technique is resource intensive, as inspecting program behavior includes recording of a high number of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference

December 2014

492 pages

ISBN:9781450330053

DOI:10.1145/2664243

Conference Chairs:
Charles N. Payne
Adventium Labs
,
Adam Hahn
Washington State University
,
Program Chairs:
Kevin Butler
University of Florida
,
Micah Sherr
Georgetown University

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 December 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ACSAC '14

Sponsor:

ACSA

ACSAC '14: Annual Computer Security Applications Conference

December 8 - 12, 2014

Louisiana, New Orleans, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

130
Total Citations
View Citations
991
Total Downloads

Downloads (Last 12 months)47
Downloads (Last 6 weeks)3

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Beierlieb LSchmitz ASpringer RDietrich CIffländer L(2025)Benchmarking Hyper-Breakpoints for Efficient Virtual Machine IntrospectionElectronics10.3390/electronics1403053414:3(534)Online publication date: 28-Jan-2025
https://doi.org/10.3390/electronics14030534
Fujii STsuzuki YOkamoto TTamura YSato T(2025)STARMAP: Multi-machine Malware Analysis System for Lateral Movement ObservationScience of Cyber Security10.1007/978-981-96-2417-1_3(37-55)Online publication date: 4-Mar-2025
https://doi.org/10.1007/978-981-96-2417-1_3
Wong MLanden MLi FMonrose FAhamad MKelley PKapadia A(2024)Comparing malware evasion theory with practiceProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696903(61-80)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696903
Yong Wong MValakuzhy KAhamad MBlough DMonrose F(2024)Understanding LLMs Ability to Aid Malware Analysts in Bypassing Evasion TechniquesCompanion Proceedings of the 26th International Conference on Multimodal Interaction10.1145/3686215.3690147(36-40)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3686215.3690147
Singh AKothari GMishra P(2024)CDDN: A concept drift driven virtual network attack detection framework in hypervisor-based environmentProceedings of the 2024 Sixteenth International Conference on Contemporary Computing10.1145/3675888.3676065(316-324)Online publication date: 8-Aug-2024
https://dl.acm.org/doi/10.1145/3675888.3676065
Cosseron LRilling LSimonin MQuinson M(2024)Simulating the Network Environment of Sandboxes to Hide Virtual Machine Introspection PausesProceedings of the 17th European Workshop on Systems Security10.1145/3642974.3652280(1-7)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3642974.3652280
Zhang YLuo SWu HPan L(2024)Antibypassing Four-Stage Dynamic Behavior Modeling for Time-Efficient Evasive Malware DetectionIEEE Transactions on Industrial Informatics10.1109/TII.2023.332752220:3(4627-4639)Online publication date: Mar-2024
https://doi.org/10.1109/TII.2023.3327522
Sandborn MStoebner ZWeimer WForrest SDougherty RWhite JLeach K(2024)Reducing Malware Analysis Overhead With CoveringsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.334632821:4(4133-4146)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3346328
Takemura TYamamoto RSuzaki K(2024)TEE-PA: TEE Is a Cornerstone for Remote Provenance Auditing on Edge Devices With Semi-TCBIEEE Access10.1109/ACCESS.2024.336634412(26536-26549)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3366344
Hassanin MMartinovic I(2024)CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomwareJournal of Cybersecurity10.1093/cybsec/tyae00810:1Online publication date: 6-Jun-2024
https://doi.org/10.1093/cybsec/tyae008
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten