Hao Shi
Jelena Mirkovic
Abstract
Malware analysis relies heavily on the use of virtual machines (VMs) for functionality and safety. There are subtle differences in operation between virtual and physical machines. Contemporary malware checks for these differences and changes its behavior when it detects a VM presence. These anti-VM techniques hinder malware analysis. Existing research approaches to uncover differences between VMs and physical machines use randomized testing, and thus cannot guarantee completeness.
In this article, we propose a detect-and-hide approach, which systematically addresses anti-VM techniques in malware. First, we propose cardinal pill testing—a modification of red pill testing that aims to enumerate the differences between a given VM and a physical machine through carefully designed tests. Cardinal pill testing finds five times more pills by running 15 times fewer tests than red pill testing. We examine the causes of pills and find that, while the majority of them stem from the failure of VMs to follow CPU specifications, a small number stem from under-specification of certain instructions by the Intel manual. This leads to divergent implementations in different CPU and VM architectures. Cardinal pill testing successfully enumerates the differences that stem from the first cause. Finally, we propose VM Cloak—a WinDbg plug-in which hides the presence of VMs from malware. VM Cloak monitors each execute malware command, detects potential pills, and at runtime modifies the command’s outcomes to match those that a physical machine would generate. We implemented VM Cloak and verified that it successfully hides VM presence from malware.
- 0xEBFE. 2013. Fooled by Andromeda. Retrieved from http://0xebfe.net/blog/2013/03/30/fooled-by-andromeda/.Google Scholar
- R. Bajcsy, T. Benzel, M. Bishop, R. Braden, C. E. Brodley, S. Fahmy, S. Floyd, W. Hardaker, A. D. Joseph, G. Kesidis, K. N. Levitt, R. Lindell, P. Liu, D. Miller, R. Mundy, C. Neuman, R. Ostrenga, V. Paxson, P. A. Porras, C. Rosenberg, D. J. Tygar, S. Sastry, D. F. Sterne, and S. F. Wu. 2004. Cyber defense technology networking and evaluation. Commun. ACM 47, 3 (2004), 58--61. Google ScholarDigital Library
- Davide Balzarotti, Marco Cova, Cristoph Karlberger, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2010. Efficient detection of split personalities in malware. In Networking and Distributed Systems Symposium (NDSS). ACM, 20--26.Google Scholar
- Paul Barford and Mike Blodgett. 2007. Toward botnet mesocosms. In HotBots. USENIX, Berkeley, CA,1. Google ScholarDigital Library
- Ulrich Bayer, Christopher Kruegel, and Engin Kirda. 2006. TTAnalyze: A tool for analyzing malware. In 14th Annual EICAR Conference.Google Scholar
- Fabrice Bellard. 2005. QEMU, A fast and portable dynamic translator. In USENIX Annual Technical Conference (ATC). Google ScholarDigital Library
- Rodrigo Rubira Branco, Gabriel Negreira Barbosa, and Pedro Drimel Neto. 2012. Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies. In Black Hat.Google Scholar
- Xu Chen, Jon Andersen, Z.Morley Mao, Michael Bailey, and Jose Nazario. 2008. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In DSN.Google Scholar
- Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008. Ether: Malware analysis via hardware virtualization extensions. In Computer and Communications Security. Google ScholarDigital Library
- Peter Ferrie. 2006. Attacks on virtual machine emulators. Symantec Security Response (2006). Retrieved from https://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf.Google Scholar
- Peter Ferrie. 2008. Anti-Unpacker Tricks. Retrieved from http://vpn23.homelinux.org/Anti-Unpackers.pdf.Google Scholar
- ISC Tech Georgia. 2017. Open Malware. Retrieved from http://oc.gtisc.gatech.edu/.Google Scholar
- Hex-Rays. 2016. IDA: multi-processor Disassembler and Debugger. Retrieved from https://www.hex-rays.com/products/ida/.Google Scholar
- Intel. 2016. Intel 64 and IA-32 Architectures Software Developers Manuals. Retrieved from http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html.Google Scholar
- John P. John, Alexander Moshchuk, Steven D. Gribble, and Arvind Krishnamurthy. 2009. Studying spamming botnets using botlab. In Networked Systems Design and Implementation. Google ScholarDigital Library
- Min Gyung Kang, Heng Yin, Steve Hanna, Stephen McCamant, and Dawn Song. 2009. Emulating emulation-resistant malware. In VMSec. Google ScholarDigital Library
- Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2011. BareBox: Efficient malware analysis on bare-metal. In Annual Computer Security Applications Conference. 403--412. Google ScholarDigital Library
- Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. BareCloud: Bare-metal analysis-based evasive malware detection. In USENIX Security. Google ScholarDigital Library
- Christian Kreibich, Nicholas Weaver, Chris Kanich, Weldong Cui, and Vern Paxson. 2011. GQ: Practical containment for measuring modern malware systems. In Internet Measurement Conference (IMC). Google ScholarDigital Library
- Kevin P. Lawton. 1996. Bochs: A portable PC emulator for unix/X. Linux Journal 29es (1996), 7. Google ScholarDigital Library
- Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. 2011. Detecting environment-sensitive malware. In Research in Attacks, Intrusions and Defenses.Google Scholar
- Lorenzo Martignoni, Stephen McCamant, Pongsin Poosankam, Dawn Song, and Petros Maniatis. 2012. Path-exploration lifting: Hi-fi tests for lo-fi emulators. In ASPLOS. 337--348. Google ScholarDigital Library
- Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. Testing CPU emulators. In International Symposium on Software Testing and Analysis. Google ScholarDigital Library
- Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2010. Testing system virtual machines. In International Symposium on Software Testing and Analysis. Google ScholarDigital Library
- Najmeh Miramirkhani, Mahathi Priya Appini, Nick Nikiforakis, and Michalis Polychronakis. 2017. Spotless sandboxes: Evading malware analysis systems using wear-and-tear artifacts. In IEEE Symposium on Security and Privacy.Google ScholarCross Ref
- Zhenyu Ning and Fengwei Zhang. 2017. Ninja: Towards transparent tracing and debugging on ARM. In 26th USENIX Security Symposium (USENIX Security 17).Google ScholarDigital Library
- Gábor Pék, Boldizsár Bencsáth, and Levente Buttyán. 2011. nEther: In-guest detection of out-of-the-guest malware analyzers. In EuroSec. Google ScholarDigital Library
- Hao Shi, Abdulla Alwabel, and Jelena Mirkovic. 2014. Cardinal pill testing of system virtual machines. In USENIX Security 14. Google ScholarDigital Library
- Hao Shi and Jelena Mirkovic. 2017. Hiding debuggers from malware with apate. In ACM Symposium on Applied Computing. Google ScholarDigital Library
- Michael Sikorski and Andrew Honig. 2012. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press. Google ScholarDigital Library
- Chengyu Song, Paul Royal, and Wenke Lee. 2012. Impeding automated malware analysis with environment-sensitive malware. In HotSec. Google ScholarDigital Library
- Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam, and Prateek Saxena. 2008. BitBlaze: A new approach to computer security via binary analysis. In ICISS. Google ScholarDigital Library
- Chad Spensky, Hongyi Hu, and Kevin Leach. 2016. LO-PHI: Low-observable physical host instrumentation for malware analysis. In Network and Distributed System Security Symposium.Google ScholarCross Ref
- Ming-Kung Sun, Mao-Jie Lin, Michael Chang, Chi-Sung Laih, and Hui-Tang Lin. 2011. Malware virtualization-resistant behavior detection. In ICPADS. Google ScholarDigital Library
- Basis Technology. 2016. The Sleuth Kit. Retrieved from http://www.sleuthkit.org/.Google Scholar
- Virus Total. 2017. VirusTotal Web Site. Retrieved from https://www.virustotal.com/en/.Google Scholar
- Amit Vasudevan and Ramesh Yerraballi. 2005. Stealth breakpoints. In ACSAC. Google ScholarDigital Library
- A. Vasudevan and R. Yerraballi. 2006. Cobra: Fine-grained malware analysis using stealth localized-executions. In Security and Privacy. Google ScholarDigital Library
- Lok-Kwong Yan, Manjukumar Jayachandra, Mu Zhang, and Heng Yin. 2012. V2E: Combining hardware virtualization and software emulation for transparent and extensible malware analysis. In Virtual Execution Environments Conference (VEE). Google ScholarDigital Library
- Oleh Yuschuk. 2013. OllyDbg. Retrieved from http://www.ollydbg.de.Google Scholar
- Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. 2015. Using hardware features for increased debugging transparency. In Security and Privacy Symposium. Google ScholarDigital Library
Index Terms
- Handling Anti-Virtual Machine Techniques in Malicious Software
Recommendations
Anti-virtual machines and emulations
Virtual Machines are important infrastructural tools for malware analysis. They provide safe yet accurate way of evaluating real life behavior and impact of any executable code, thus providing a better understanding of obfuscated or non conventional ...
A BLP-Based Access Control Mechanism for the Virtual Machine System
ICYCS '08: Proceedings of the 2008 The 9th International Conference for Young Computer ScientistsThe virtual machine system such as Xen provides a security isolation between virtual machines (VM) running on the virtual machine monitor (VMM). With the wide application of the virtualization technology, VMM is expected to not only provide the simple ...
Hiding "real" machine from attackers and malware with a minimal virtual machine monitor
SecureComm '08: Proceedings of the 4th international conference on Security and privacy in communication netowrksWith security researchers relying on the virtual machine (VM) in their analysis work, malware has a significant stake in detecting the presence of a VM to avoid executing its vicious behavior. But hiding a VM from malware by building a transparent ...
Comments