Ether: Malware analysis via hardware virtualization extensions

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2008, Pages 51-62

  Dinaburg, Artem ^a,b   Royal, Paul ^a,b   Shari, Monirul ^a,b   Lee, Wenke ^a,b  

^a GEORGIA INSTITUTE OF TECHNOLOGY   (United States)

^b Damballa Inc   (United States)

Author keywords

Dynamic analysis; Emu lation; Malware analysis; Unpacking; Virtualization

Indexed keywords

DETECTION SYSTEM; EMU-LATION; FOCAL POINTS; MALWARE ANALYSIS; MALWARES; NOVEL APPLICATIONS; OPERATING SYSTEMS; RUNTIMES; SECURITY THREATS; SIDE EFFECT; SOFTWARE COMPONENT; SYSTEM EMULATION; TECHNIQUES USED; UNPACKING; VIRTUALIZATION; VIRTUALIZATIONS;

COMPUTER HARDWARE; COMPUTER OPERATING SYSTEMS; DYNAMIC ANALYSIS; ETHERS; ORGANIC COMPOUNDS;

COMPUTER CRIME;

EID: 70349240080     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1455770.1455779     Document Type: Conference Paper

References (48)

1. Anubis: Analyzing Unknown Binaries. http://anubis.seclab.tuwien.ac.at.
2. Armadillo, http://www.siliconrealms.com.
3. BitBlaze Binary Analysis Platform. http://bitblaze.cs.berkeley.edu.
4. DYNINST API. http://www.dyninst.org.
5. FileMon for Windows. http://technet.microsoft ,com/en-us/sysinternals/ bb896642.aspx.
6. Intel Virtualization Technology. http://www.intel.com/technology/ virtualization.
7. PEiD. http://www.peid.info.
8. PEiDSO. http://handlers.sans.org/jclausing/userdb.txt.
9. RegMon for Windows. http://technet.microsoft .com/en-us/sysinternals/ bb896652.aspx.
10. Themida. http://www.oreans.com/themida.php.
11. VirtualPC. http://www.microsoft.com/windows/ products/winfamily/ virtualpc/.
12. VMWare. http://www.vmware.com.
13. Norman Sandbox Whitepaper.http://www.norman.com/documents/wp-sandbox.pdf, 2003.
14. AMD64 Architecture Programmer's Manual, Volume 2: Sj'stem Programming, 2007.
15. TEMU: The BitBlaze Dynamic Analysis Component. http://bitblaze.cs. berkeley.edu/temu.html, 2007.
16. P. Bacher, T. Holz, M. Kotter, and G. Wicherski. Know your enemy: Tracking botnets. http://www.honeynet.org/papers/bots, 2005.
17. M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario. Automated Classification and Analysis of Internet Malware. In RAID, 2007.
18. P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In SOSP. pages 164-177, 2003.
19. U. Bayer, C. Kruegel, and E. Kirda. TTanalyze: A Tool for Analyzing Malware. In EICAR, pages 180-192, 2006.
20. F. Bellard. QEMU, a Fast and Portable Dynamic Translator. In ATEC, pages 41-41, 2005.
21. M. Bishop. Computer Security: Art and Science. Addison-Wesley Professional, 2003.
22. K. Borders, X. Zhao, and A. Prakash. Siren: Catching Evasive Malware (Short Paper). In S&P (Oakland), pages 78-85, 2006.
23. J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis. In CCS, 2007.
24. M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-Aware Malware Detection. In S&P (Oakland), pages 32-46, 2005.
25. M. Christodorescu, C. Kruegel, and S. Jha. Mining Specifications of Malicious Behavior. In ESEC/FSE, pages 5-14, 2007.
26. P. Ferrie. Attacks on Virtual Machine Emulators. Symantec Advanced Threat Research, 2006.
27. P. Ferrie. Attacks on More Virtual Machines. http://pferrie.tripod.com/ papers/attacks2.pdf, 2007.
28. T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS, 2003.
29. G. Hunt and D. Brubacher. Detours: Binary Interception of Win32 Functions. In WINSYM, pages 135-143, 1999.
30. X. Jiang, X. Wang, and D. Xu. Stealthy Malware Detection Through VMM-Based "Out-of-the-Box" Semantic View Reconstruction. In CCS, pages 128-138, 2007.
31. X. Jiang, D. Xu, H. J. Wang, and E. H. Spafford. Virtual Playgrounds for Worm Behavior Investigation. In RAID, pages 1-21, 2005.
32. M. G. Kang, P. Poosankam. and H. Yin. Renovo: A Hidden Code Extractor for Packed Executables. In WORM, 2007.
33. C. Kruegel, W. Robertson, and G. Vigna. Detecting Kernel-Level Rootkits Through Binary Analysis. In ACSAC, pages 91-100, 2004.
34. L. Martignoni, M. Christodorescu, and S. Jha. OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In ACSAC, pages 431-441, 2007.
35. F. Perigaud. New Pill? http://cert.lexsi.com/weblog/ index.php/2008/03/ 21/223-new-pill, 2008.
36. N. Provos and T. Holz. Virtual Honeypots: From, Botnet Tracking to Intrusion Detection. Addison-Wesley Professional, Reading, 2007.
37. T. Ptacek. Side-Channel Detection Attacks Against Unauthorized Hypervisors. http://www.matasano.com/log/930/side-channel- detection-attacks- against-unauthorized-hypervisors/, 2007.
38. D. Quist and Valsmith. Covert Debugging: Circumventing Software Armoring. In Black Hat USA, 2007.
39. T. Raffetseder, C. Kruegel, and E. Kirda. Detecting System Emulators. In ISC, pages 1-18, 2007.
40. P. Royal, M. Halpin, D. Dagon, R. Edmonds, and W. Lee. PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In ACSAC, pages 289-300, 2006.
41. M. Sipser. Introduction to the Theory of Computation. International Thomson Publishing, 1996.
42. P. Szor. The Art of Computer Virus Research and Defense. Addison-Wesley Professional, 2005.
43. A. Vasudevan and R. Yerraballi. Stealth Breakpoints. In ACS AC, pages 381-392, 2005.
44. A. Vasudevan and R. Yerraballi. Cobra: Fine-grained Malware Analysis using Stealth Localized-executions. In S&P (Oakland), pages 264-279, 2006.
45. C. Wang and S. Ju. The Dilemma of Covert Channels Searching. In ICISC, pages 169-174, 2005.
46. Y.-M. Wang, D. Beck, X. Jiang. R. Roussev, C. Verbowski, S. Chen, and S. T. King. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In NDSS, 2006.
47. C. Willems, T. Holz, and F. Freiling. Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security and Privacy, 5(2), 2007.
48. H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow for malware detection and analysis. In CCS. 2007.