BareBox: Efficient malware analysis on bare-metal

ACM International Conference Proceeding Series

Volumn , Issue , 2011, Pages 403-412

  Kirat, Dhilung ^a   Vigna, Giovanni ^a   Kruegel, Christopher ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Bare metal; Dynamic malware analysis; System restore; VM aware

Indexed keywords

AUTOMATED ANALYSIS; COMMODITY HARDWARE; MALICIOUS BEHAVIOR; MALWARE ANALYSIS; MALWARES; PHYSICAL MEMORY; STATE-OF-THE-ART SYSTEM; SYSTEM RESTORE; VIRTUAL ENVIRONMENTS; VIRTUALIZATIONS; VM-AWARE; WINDOWS SYSTEM;

COMPUTER CRIME; COMPUTER HARDWARE; DYNAMIC ANALYSIS; METALS; RESTORATION; SECURITY OF DATA; SECURITY SYSTEMS; VIRTUAL REALITY;

METAL ANALYSIS;

EID: 84855669384     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2076732.2076790     Document Type: Conference Paper

References (27)

1. M. Labs, "Mcafee threats report: First quarter 2011," McAfee, Tech. Rep., 2011. [Online]. Available: https://secure.mcafee.com/us/resources/ reports/rpquarterly-threat-q1-2011.pdf
2. T. Raffetseder, C. Kruegel, and E. Kirda, "Detecting system emulators."
3. P. Ferrie, "Attacks on virtual machine emulators," Symantec Corporation, Tech. Rep., 2007.
4. G. Pék, B. Bencsáth, and L. Buttyán, "nether: in-guest detection of out-of-the-guest malware analyzers," in Proceedings of the Fourth European Workshop on System Security, ser. EUROSEC '11. New York, NY, USA: ACM, 2011, pp. 3:1-3:6.
5. J. Rutkowska, "Red pill... or how to detect vmm using (almost) one cpu instruction," 2004. [Online]. Available: http://invisiblethings.org/ papers/redpill.html
6. A. Dinaburg, P. Royal, M. Sharif, and W. Lee, "Ether: malware analysis via hardware virtualization extensions," in Proceedings of the 15th ACM conference on Computer and communications security, ser. CCS '08. New York, NY, USA: ACM, 2008, pp. 51-62.
7. P. Royal, "Alternative medicine: The malware analyst's blue pill," Aug 2008.
8. T. Garfinkel, K. Adams, A. Warfield, and J. Franklin, "Compatibility is Not Transparency: VMM Detection Myths and Realities," in Proceedings of the 11th Workshop on Hot Topics in Operating Systems (HotOS-XI), May 2007.
9. "Qwmu open source processor emulator." [Online]. Available: http://wiki.qemu.org/
10. "Anubis: Analyzing unknown binaries." [Online]. Available: http://anubis.iseclab.org/
11. R. Paleari, L. Martignoni, G. Fresi Roglia, and D. Bruschi, "A fistful of red-pills: How to automatically generate procedures to detect CPU emulators," in Proceedings of the 3rd USENIX Workshop on Offensive Technologies (WOOT). Montreal, Canada: ACM.
12. D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G. Vigna, "Efficient Detection of Split Personalities in Malware," in Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2010.
13. M. G. Kang, H. Yin, S. Hanna, S. McCamant, and D. Song, "Emulating emulation-resistant malware," EECS Department, University of California, Berkeley, Tech. Rep., May 2009.
14. B. Lau and V. Svajcer, "Measuring virtual machine detection in malware using dsd tracer," Journal in Computer Virology, vol. 6, pp. 181-195, 2010, 10.1007/s11416-008-0096-y.
15. "Juzt-reboot." [Online]. Available: http://www.juzt-reboot.com/
16. "Partimage." [Online]. Available: http://www.partimage.org/
17. R. Hund, T. Holz, and F. C. Freiling, "Return-oriented rootkits: bypassing kernel code integrity protection mechanisms," in Proceedings of the 18th conference on USENIX security symposium, ser. SSYM'09. Berkeley, CA, USA: USENIX Association, 2009, pp. 383-398.
18. "Intel®64 and ia-32 architectures software developer's manual." [Online]. Available: http://www.intel.com/Assets/PDF/manual/ 325384.pdf
19. "Fast memory copy." [Online]. Available: http://now.cs. berkeley.edu/Td/bcopy.html
20. X. Jiang, X. Wang, and D. Xu, "Stealthy malware detection and monitoring through vmm-based "out-of-the-box" semantic view reconstruction," ACM Trans. Inf. Syst. Secur., vol. 13, pp. 12:1-12:28, March 2010.
21. X. Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario, "Towards an Understanding of Anti-Virtualization and Anti-Debugging Behavior in Modern Malware," in Proceedings of the 38th Annual IEEE International Conference on Dependable Systems and Networks (DSN '08), Anchorage, Alaska, USA, June 2008, pp. 177-186.
22. N. Xiong, Y. Zhou, H. Liu, and Y. Zhang, "Avmm: Virtualize client with a bare-metal and asymmetric partitioning approach," Submitted, ICC 2011, Tech. Rep., 2011.
23. A. Depoutovitch and M. Stumm, "Otherworld: givingapplications a chance to survive os kernel crashes," in EuroSys, 2010, pp. 181-194.
24. K. Kourai, "Cachemind: Fast performance recovery using a virtual machine monitor," in Dependable Systems and Networks Workshops (DSN-W), 2010 International Conference on, 28 2010-july 1 2010, pp. 86-92.
25. -, "Fast and correct performance recovery of operating systems using a virtual machine monitor," in Proceedings of the 7th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, ser. VEE '11. New York, NY, USA: ACM, 2011, pp. 99-110.
26. M. Baker and M. Sullivan, "The recovery box: Using fast recovery to provide high availability in the unix environment," in In Proceedings USENIX Summer Conference, 1992, pp. 31-43.
27. "Norman sandbox analyzer." [Online]. Available: http://www.norman.com/products/sandbox analyzer/en