ABSTRACT
Mixed-mode malware contains user-mode and kernel-mode components that are interdependent. Such malware exhibits its main malicious payload only after it succeeds at corrupting the OS kernel. Such malware may further actively attack or subvert malware analysis components. Current malware analysis techniques are not effective against mixed-mode malware. To overcome the limitations of current techniques, we present an approach that combines whole-system analysis with outside-the-guest virtual machine introspection. We implement this approach in the SEMU tool for Windows. In our experiments SEMU could successfully analyze several mixed-mode malware samples that evade current analysis approaches. The runtime overhead of SEMU is in line with the most closely related dynamic analysis tools TEMU and Ether.
- S. Bahram et al. DKSM: Subverting virtual machine introspection for fun and profit. In SRDS, pages 82--91. IEEE, 2010. Google ScholarDigital Library
- D. Balzarotti, M. Cova, C. Karlberger, E. Kirda, C. Krügel, and G. Vigna. Efficient detection of split personalities in malware. In NDSS. The Internet Society, 2010.Google Scholar
- D. Bartholomew. QEMU: A multihost, multitarget emulator. Linux Journal, (145), 2006. Google ScholarDigital Library
- U. Bayer, C. Krügel, and E. Kirda. TTAnalyze: A tool for analyzing malware. In EICAR. EICAR, 2006.Google Scholar
- U. Bayer, A. Moser, C. Krügel, and E. Kirda. Dynamic analysis of malicious code. Journal in Computer Virology, 2(1):67--77, 2006.Google ScholarCross Ref
- M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang. Mapping kernel objects to enable systematic integrity checking. In CCS, pages 555--565. ACM, 2009. Google ScholarDigital Library
- D. Chisnall. The definitive guide to the Xen hypervisor. Pearson Education, 2007. Google ScholarDigital Library
- Consumer Reports. Online exposure. Consumer Reports Magazine, June 2011.Google Scholar
- A. Dinaburg, P. Royal, M. I. Sharif, and W. Lee. Ether: Malware analysis via hardware virtualization extensions. In CCS, pages 51--62. ACM, 2008. Google ScholarDigital Library
- B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Security and Privacy, pages 297--312. IEEE, 2011. Google ScholarDigital Library
- E. Florio. When malware meets rootkits. In Virus Bulletin. Virus Bulletin, 2005.Google Scholar
- Y. Fu and Z. Lin. Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In Security and Privacy, pages 586--600. IEEE, 2012. Google ScholarDigital Library
- Y. Fu and Z. Lin. Bridging the semantic gap in virtual machine introspection via online kernel data redirection. ACM TISSEC, 16(2):7:1--7:29, 2013. Google ScholarDigital Library
- T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In NDSS. The Internet Society, 2003.Google Scholar
- I. Habib. Virtualization with KVM. Linux Journal, (166), 2008. Google ScholarDigital Library
- T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. C. Freiling. Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In LEET. USENIX, 2008. Google ScholarDigital Library
- X. Jiang and X. Wang. "Out-of-the-box" monitoring of VM-based high-interaction honeypots. In RAID, pages 198--218. Springer, 2007. Google ScholarDigital Library
- X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through VMM-based "out-of-the-box" semantic view reconstruction. In CCS, pages 128--138. ACM, 2007. Google ScholarDigital Library
- A. Kapoor and R. Mathur. Predicting the future of stealth attacks. In Virus Bulletin Conference, 2011.Google Scholar
- C. Kolbitsch, E. Kirda, and C. Kruegel. The power of procrastination: detection and mitigation of execution-stalling malicious code. In CCS, pages 285--296. ACM, 2011. Google ScholarDigital Library
- A. Lanzi, M. Sharif, and W. Lee. K-tracer: A system for extracting kernel malware behavior. In NDSS. The Internet Society, 2009.Google Scholar
- A. Moser, C. Krügel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Security and Privacy, pages 231--245. IEEE, 2007. Google ScholarDigital Library
- M. Neugschwandtner, C. Platzer, P. Comparetti, and U. Bayer. dAnubis - dynamic device driver analysis based on virtual machine introspection. In DIMVA, pages 41--60. Springer, 2010. Google ScholarDigital Library
- N. A. Quynh and K. Suzaki. Virt-ICE: Next-generation debugger for malware analysis. Black Hat Briefings USA, July 2010.Google Scholar
- R. Riley, X. Jiang, and D. Xu. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In RAID, pages 1--20. Springer, 2008. Google ScholarDigital Library
- R. Riley, X. Jiang, and D. Xu. Multi-aspect profiling of kernel rootkit behavior. In EuroSys, pages 47--60. ACM, 2009. Google ScholarDigital Library
- M. E. Russinovich and D. A. Solomon. Microsoft Windows Internals: Microsoft Windows Server 2003, Windows XP, and Windows 2000. Microsoft Press, fourth edition, 2005. Google ScholarDigital Library
- S. B. Schreiber. Undocumented Windows 2000 secrets: A programmer's cookbook. Addison-Wesley, 2001. Google ScholarDigital Library
- A. Seshadri, M. Luk, N. Qu, and A. Perrig. Secvisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In SOSP, pages 335--350. ACM, 2007. Google ScholarDigital Library
- M. I. Sharif, W. Lee, W. Cui, and A. Lanzi. Secure in-vm monitoring using hardware virtualization. In CCS, pages 477--487. ACM, 2009. Google ScholarDigital Library
- D. X. Song et al. BitBlaze: A new approach to computer security via binary analysis. In ICISS, pages 1--25. Springer, 2008. Google ScholarDigital Library
- A. Srivastava and J. Giffin. Efficient protection of kernel data structures via object partitioning. In ACSAC, pages 429--438. ACM, 2012. Google ScholarDigital Library
- Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering kernel rootkits with lightweight hook protection. In CCS, pages 545--554. ACM, 2009. Google ScholarDigital Library
- C. Willems, T. Holz, and F. C. Freiling. Toward automated dynamic malware analysis using CWSandbox. IEEE Security and Privacy, 5(2):32--39, 2007. Google ScholarDigital Library
- C. Xuan, J. Copeland, and R. Beyah. Toward revealing kernel malware behavior in virtual execution environments. In RAID, pages 304--325. Springer, 2009. Google ScholarDigital Library
- L.-K. Yan, M. Jayachandra, M. Zhang, and H. Yin. V2E: Combining hardware virtualization and software emulation for transparent and extensible malware analysis. In VEE, pages 227--237. ACM, 2012. Google ScholarDigital Library
- H. Yin, Z. Liang, and D. Song. Hookfinder: Identifying and understanding malware hooking behaviors. In NDSS. The Internet Society, 2008.Google Scholar
- H. Yin, P. Poosankam, S. Hanna, and D. X. Song. Hookscout: Proactive binary-centric hook detection. In DIMVA, pages 1--20. Springer, 2010. Google ScholarDigital Library
- H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow for malware detection and analysis. In CCS, pages 116--127. ACM, 2007. Google ScholarDigital Library
Index Terms
- Mixed-Mode Malware and Its Analysis
Recommendations
Malware Analysis: Tools and Techniques
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive StrategiesMalicious code is a serious issue which regularly threatens the security of computer systems and act as a challenging task for cyber security& Information security personals. Malicious code is named differently according to their specification such as ...
Holography: a behavior-based profiler for malware analysis
Behavior-based detection and signature-based detection are two popular approaches to malware (malicious software) analysis. The security industry, such as the sector selling antivirus tools, has been using signature and heuristic-based technologies for ...
Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system
ACSAC '14: Proceedings of the 30th Annual Computer Security Applications ConferenceMalware is one of the biggest security threats on the Internet today and deploying effective defensive solutions requires the rapid analysis of a continuously increasing number of malware samples. With the proliferation of metamorphic malware the ...
Comments