MAVMM: Lightweight and purpose built VMM for malware analysis

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn , Issue , 2009, Pages 441-450

  Nguyen, Anh M ^a   Schear, Nabil ^a   Jung, HeeDong ^a   Godiyal, Apeksha ^a   King, Samuel T ^a   Nguyen, Hai D ^b  

^a University of Illinois at Urbana Champaign   (United States)

^b HANOI UNIVERSITY OF SCIENCE AND TECHNOLOGY   (Viet Nam)

Author keywords

Malware analysis; Security; Virtual machine monitors

Indexed keywords

ART ANALYSIS; DETECTABILITY; DETECTION TECHNIQUE; GENERAL PURPOSE; MALICIOUS SOFTWARE; MALWARES; VIRTUAL DEVICES; VIRTUAL MACHINE MONITORS; VIRTUALIZATIONS; VULNERABLE SYSTEMS;

COMPUTER SOFTWARE; FEATURE EXTRACTION; SECURITY OF DATA;

COMPUTER CRIME;

EID: 77950831023     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ACSAC.2009.48     Document Type: Conference Paper

References (51)

1. Clam antivirus. http://www.clamav.net/.
2. Vx heavens. http://vx.netlux.org/.
3. Advanced Micro Devices. AMD64 Architecture Programmer's Manual Volume2: System Programming, 3.14 edition, Sep 2007.
4. P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In ACM Symposium on Operating Systems Principles, 2003.
5. V. Basili and B. T. Perricone. Software errors and complexity: an empirical investigation, 1993.
6. D. P. Bovet and M. Cesati. Understanding the linux kernel. Number ISBN : 0-596-00213-0. O'Reilly, décembre 2003.
7. E. Chickowski. Webroot: 40 percent of companies report disruptions due to malware. SC Magazine, Mar 2007.
8. G. Combs. Wireshark 1.0.6: A Network Protocol Analyzer for Windows and Unix. http://www.wireshark.org/.
9. W. Davis. Adware Firms Up The Ante On Anti-Spyware. Online Media Daily, Mar 2005.
10. A. Dinaburg, P. Royal, M. I. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In ACM Conference on Computer and Communications Security, 2008.
11. C. Economics. 2007 Malware Report: The Economic Impact of Viruses, Spyware, Adware, Botnests and Other Malicious Code. Tech. Rep., Jun 2007.
12. F-Secure. Agobot virus description. www.f-secure.com/v-descs/agobot. shtml.
13. P. Ferrie. Attacks on virtual machine emulators, Jan 2007.
14. J. Franklin, M. Luk, J. M. McCune, A. Seshadri, A. Perrig, and L. V. Doorn. Remote detection of virtual machine monitors with fuzzy benchmarking. ACM SIGOPS Operating System Review Special Edition on Computer Forensics, 42(3):83-92, Apr 2008.
15. M. Franz. Information-flow aware virtual machines: Foundations for trustworthy computing. Conference For Homeland Security, Cybersecurity Applications and Technology, 0:91-96, 2009.
16. K. Fraser. x86: Update xen-detect utility to scan for Xen signature in CPUID space, Dec 2008. xen-unstable mailing list.
17. T. Garfinkel, K. Adams, A. Warfield, and J. Franklin. Compatibility is Not Transparency: VMM Detection Myths and Realities. In Usenix Workshop on Hot Topics in Operating Systems (HotOS-XI), May 2007.
18. T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In ISOC Network and Distributed Systems Security Symposium, Feb 2003.
19. T. Holz and F. Raynal. Detecting honeypots and other suspicious environments. IEEE Systems, Man and Cybernetics (SMC) Information Assurance Workshop, 2005.
20. Q. Inc. KVM - Kernel-based Virtualiztion Machine.
21. Intel. Intel 64 and IA-32 Architectures Software Developer's Manual Volume 3B: System Programming Guide, Mar 2009.
22. X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction. In ACM conference on Computer and communications security, 2007.
23. X. Jiang, D. Xu, H. Wang, and E. Spafford. Virtual playgrounds for worm behavior investigation. In International Symposium on Recent Advances in Intrusion Detection, 2005.
24. S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Antfarm: tracking processes in a virtual machine environment. In USENIX Annual Technical Conference, 2006.
25. K. Kaneda. Tiny Virtual Machine Monitor. http://web.yl.is.s.u-tokyo.ac. jp/~kaneda/tvmm/.
26. M. G. Kang, P. Poosankam, and H. Yin. Renovo: A Hidden Code Extractor for Packed Executables. In ACM Workshop on Recurring Malcode (WORM'7), October 2007.
27. S. King and P. Chen. Subvirt: Implementing malware with virtual machines. IEEE Symposium on Security and Privacy, May 2006.
28. K. Kourai and S. Chiba. Hyperspector: virtual distributed monitoring environments for secure intrusion detection. In ACM/USENIX international conference on Virtual Execution Environments, 2005.
29. T. Liston and E. Skoudis. On the cutting edge: Thwarting virtual machine detection, Jul 2006.
30. Y. min Wang, Y. min Wang, D. Beck, D. Beck, X. Jiang, X. Jiang, R. Roussev, and R. Roussev. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In NDSS, 2006.
31. T. J. Ostrand and E. J. Weyuker. The distribution of faults in a large industrial software system. In ACM SIGSOFT international symposium on Software testing and analysis, 2002.
32. N. Provos and T. Holz. Virtual honeypots: from botnet tracking to intrusion detection. Addison-Wesley Professional, 2007.
33. T. Raffetseder, C. Krügel, and E. Kirda. Detecting system emulators. In ISC, 2007.
34. J. Rutkowska. Red Pill... or how to detect VMM using (almost) one CPU instruction. http://www.invisiblethings.org/papers/redpill.html.
35. J. Rutkowska and A. Tereshkin. IsGameOver() Anyone?, May 2007. http://bluepillproject.org/stuff/IsGameOver.ppt.
36. D. SA/NV. IDA Pro Disassembler and Debugger. http://www.hex-rays.com/ idapro/.
37. Secunia. Vulnerability Report: VMware ESX Server 3.x. http://secunia.com/advisories/product/10757/.
38. Secunia. Vulnerability Report: VMwareWorkstation 6.x. http://secunia.com/advisories/product/10757/.
39. Secunia. Vulnerability Report: Xen 3.x. http://secunia.com/advisories/ product/15863.
40. A. Seshadri, M. Luk, N. Qu, and A. Perrig. Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In SOSP '07, 2007.
41. V. Smith and D. Quist. Further Down the VM Spiral, Aug 2006. www.offensivecomputing.net/dc14/furthur-down-the-vm-spiral.pdf.
42. V. Smith and D. Quist. Hacking Malware: Offense is the new Defense. Defcon, 14, Aug 2006.
43. V. Smith and D. Quist. Covert Debugging: Circumventing Software Armoring. Blackhat Las Vegas, Aug 2007.
44. D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. BitBlaze: A new approach to computer security via binary analysis. In International Conference on Information Systems Security, Dec 2008.
45. J. Sugerman, G. Venkitachalam, and B.-H. Lim. Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor. In USENIX Annual Technical Conference, 2001.
46. M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, fidelity, and containment in the potemkin virtual honeyfarm. SIGOPS Oper. Syst. Rev., 39(5):148-162, 2005.
47. R. Wojtczuk. Adventures with a certain Xen vulnerability(in the PVFB backend), Oct 2008.
48. O. Yuschuk. Ollydbg. http://www.ollydbg.de/.
49. B. Zdrnja. E-cards dont like virtual environments, Jul 2007. http://isc.sans.org/diary.html?storyid=3190.
50. B. Zdrnja. More tricks from Conficker and VM detection, Feb 2009. http://isc.sans.org/diary.html?storyid=5842.
51. L. Zeltser. Using VMware for Malware Analysis. SearchSecurity.com, May 2007.