Design and implementation of emulab-based malware analysis service through EmuLiB
Authors: 
Gibeom Song, Manhee LeeAuthors Info & Claims
Gibeom Song, Manhee LeeAuthors Info & ClaimsPages 2146 - 2151
Abstract
As many malwares adopt evasive techniques, it becomes less trustworthy to use virtual machines for malware analysis. To solve the problem, malware analysts may use real machines, but they will have original issues like hardware management again. As an alternative option, we developed Emulab-based malware analysis service and a programming library that can transform Emulab, a real machine-based research framework, into a malware analysis infrastructure so that researchers test malware on real machines very conveniently. Experiments showed that our system successfully automated analysis setup and pre- and post-process, thus reducing user interaction overhead by 81 percent.
References
[1]
{n. d.}. 2013 South Korea cyberattack. Retrieved September 19, 2018 from https://en.wikipedia.org/wiki/2013_South_Korea_cyberattack
[2]
{n.d.}. EmuLib. Retrieved September 20, 2018 from https://github.com/HPSCLab/EmuLib
[3]
{n. d.}. WannaCry Ransomware Attack. Retrieved September 19, 2018 from https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
[4]
Xu Chen, Jon Andersen, Z. Morley Mao, Michael Bailey, and Jose Nazario. 2008. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In Proceedings of the International Conference on Dependable Systems and Networks. 177--186.
[5]
Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008. Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 2008 ACM SIGSAC Conference on Computer and Communications Security - CCS'06.
[6]
Emulab. {n. d.}. Emulab. Retrieved September 19, 2018 from https://www.emulab.net/portal/frontpage.php
[7]
Tal Garfinkel, Keith Adams, Andrew Warfield, and Jason Franklin. 2007. Compatibility is not transparency: VMM detection myths and realities. Hot Topics in Operating Systems (2007).
[8]
JoeSecurity. {n. d.}. Joe Sandbox: Automated Malware Analysis. Retrieved September 19, 2018 from https://www.joesecurity.org/
[9]
Dhilung Kirat and Giovanni Vigna. 2015. MalGene : Automatic Extraction of Malware Analysis Evasion Signature. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15 (2015).
[10]
Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2011. BareBox: efficient malware analysis on bare-metal. In Proceedings of the 27th Annual Computer Security Applications Conference.
[11]
Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2015. BareCloud: Bare-metal Analysis-based Evasive Malware Detection. 23rd USENIX Security Symposium (USENIX Security 14) (2015).
[12]
Man-hee Lee and Woo-jin Seok. 2016. Research on Utilizing Emulab for Malware Analysis. Journal of the Korea Institute of Information Security and Cryptology 26 (2016), 117--124.
[13]
NETRESEC. {n. d.}. RawCap. Retrieved September 19, 2018 from https://www.netresec.com/index.ashx?page=RawCap
[14]
Norman. {n. d.}. Norman Sandbox. Retrieved September 19, 2018 from http://www.norman.com/en-ww/homepage/
[15]
Danny Quist and Val Smith. {n. d.}. Detecting the Presence of Virtual Machines Using the Local Data Table. Retrieved September 19, 2018 from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.99.3879&rep=rep1&type=pdf
[16]
Rodrigo Rubira Branco, Gabriel Negreira Barbosa, and Pedro Drimel Neto. 2012. Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti- VM Technologies - White Paper. Black Hat (2012).
[17]
PAYLOAD Security. {n. d.}. VxStream Sandbox. Retrieved September 19, 2018 from https://www.payload-security.com/products/vxstream-sandbox/
[18]
Gibeom Song and Manhee Lee. 2017. MBR Image Automation Analysis Techniques Utilizing Emulab. Information Science and Applications 2017. ICISA 2017. Lecture Notes in Electrical Engineering 424 (2017), 231--220.
[19]
Chad Spensky, Hongyi Hu, and Kevin Leach. 2016. LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis. Proceedings of the Network and Distributed System Security Symposium (NDSS) (2016).
[20]
Symantec. {n. d.}. Ransom.Wannacry. Retrieved September 19, 2018 from https://www.symantec.com/security-center/writeup/2017-051310-3522-99
[21]
Teryl Taylor and et al. 2014. Using hardware features for increased debugging transparency. Proceedings - IEEE Symposium on Security and Privacy (2014).
[22]
VirtualBox. {n. d.}. VirtualBox. Retrieved September 19, 2018 from https://www.virtualbox.org/
[23]
Vmware. {n. d.}. Vmware. Retrieved September 19, 2018 from https://www.vmware.com/
[24]
Jiang Wang, Fengwei Zhang, Kun Sun, and Angelos Stavrou. 2011. Firmware-assisted memory acquisition and analysis tools for digital forensics. In 2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011.
[25]
Brian White, Jay Lepreau, Leigh Stoller, Robert Ricci, Shashi Guruprasad, Mac Newbold, Mike Hibler, Chad Barb, and Abhijeet Joglekar. 2002. An integrated experimental environment for distributed systems and networks. ACM SIGOPS Operating Systems Review (2002).
[26]
Fengwei Zhang, Kevin Leach, Angelos Stavrou, and Haining Wang. 2018. Towards Transparent Debugging. IEEE Transactions on Dependable and Secure Computing (2018).
Index Terms
- Design and implementation of emulab-based malware analysis service through EmuLiB
Recommendations
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends SymposiumAutomated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
UBER: Combating Sandbox Evasion via User Behavior Emulators
Information and Communications SecurityAbstractSandbox-enabled dynamic malware analysis has been widely used by cyber security teams to handle the threat of malware. Correspondingly, malware authors have developed various anti-sandbox techniques to evade the analysis. Most of those evasion ...
MalGene: Automatic Extraction of Malware Analysis Evasion Signature
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityAutomated dynamic malware analysis is a common approach for detecting malicious software. However, many malware samples identify the presence of the analysis environment and evade detection by not performing any malicious activity. Recently, an approach ...
Comments
Information & Contributors
Information
Published In
April 2019
2682 pages
Copyright © 2019 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 08 April 2019
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Korea government (MSIT)
Conference
SAC '19
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,650 of 6,669 submissions, 25%
Upcoming Conference
SAC '25
- Sponsor:
- sigapp
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 98Total Downloads
- Downloads (Last 12 months)6
- Downloads (Last 6 weeks)1
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in