Introlib: Efficient and transparent library call introspection for malware forensics

Proceedings of the Digital Forensic Research Conference, DFRWS 2012 USA

Volumn , Issue , 2012, Pages S13-S23

  Deng, Zhui ^a   Xu, Dongyan ^a   Zhang, Xiangyu ^a   Jiang, Xuxiang ^b  

^a Purdue University   (United States)

^b North Carolina State University   (United States)

Author keywords

Dynamic analysis; Library call introspection; Malware forensics; Performance; Virtualization

Indexed keywords

BENCHMARKING; DYNAMIC ANALYSIS; ELECTRONIC CRIME COUNTERMEASURES; MALWARE; SEMANTICS; VIRTUALIZATION;

BENCHMARK TESTING; DYNAMIC MALWARE ANALYSIS; HARDWARE VIRTUALIZATION; HIGH TRANSPARENCY; MALWARE BEHAVIORS; PERFORMANCE; RUNTIME BEHAVIORS; SEMANTIC INFORMATION;

COMPUTER FORENSICS;

EID: 84893222248     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1016/j.diin.2012.05.013     Document Type: Conference Paper

References (31)

1. Bayer U, Kruegel C, Kirda E. Ttanalyze: a tool for analyzing malware. In: 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference; 2006.
2. Chen X, Andersen J, Mao Z, Bailey M, Nazario J. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: DSN’08. IEEE; 2008. p. 177–86.
3. Dinaburg A, Royal P, Sharif M, Lee W. Ether: malware analysis via hardware virtualization extensions. In: CCS’08. ACM; 2008. p. 51–62.
4. Ferrie P. Attacks on virtual machine emulators. Symantec Advanced Threat Research; 2006.
5. Ferrie P. Attacks on more virtual machine emulators. Symantec Technology Exchange; 2007.
6. Futuremark. Pcmark05. URL: http://www.futuremark.com/products/pcmark05/; 2012.
7. Garfinkel T, Rosenblum M. A virtual machine introspection based architecture for intrusion detection. In: NDSS’03; 2003.
8. Huang C. cproto. URL: http://sourceforge.net/projects/cproto/; 2012.
9. International Secure Systems Lab. Anubis: analyzing unknown binaries. URL: http://anubis.iseclab.org/; 2012.
10. Jiang X, Wang X. Out-of-the-box monitoring of vm-based high-interaction honeypots. In: RAID’07. Springer-Verlag; 2007. p. 198–218.
11. Jibz, Qwerton, snaker, xineohP. Peid. URL: http://www.peid.info/; 2012.
12. Kang M, Yin H, Hanna S, McCamant S, Song D. Emulating emulation-resistant malware. In: Proceedings of the 1st ACM workshop on virtual machine security. ACM; 2009. p. 11–22.
13. Kaspersky Lab. Av vs fakeav. URL, http://habrahabr.ru/company/kaspersky/blog/133621/; 2012.
14. Microsoft. Microsoft portable executable and common object file format specification; 2010.
15. Moser A, Kruegel C, Kirda E. Limits of static analysis for malware detection. In: ACSAC’07. IEEE; 2007. p. 421–30.
16. Nguyen A, Schear N, Jung H, Godiyal A, King S, Nguyen H. Mavmm: lightweight and purpose built vmm for malware analysis. In: ACSAC’09. IEEE; 2009. p. 441–50.
17. Norman. Norman sandbox. URL: http://www.norman.com/about_norman/technology/norman_sandbox/; 2012.
18. Ptacek T. Side-channel detection attacks against unauthorized hypervisors. URL: http://www.securityfocus.com/blogs/253; 2012.
19. Raffetseder T, Kruegel C, Kirda E. Detecting system emulators. Information Security; 2007:1–18.
20. Riley R, Jiang X, Xu D. Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In: RAID’08. Springer; 2008. p. 1–20.
21. Rodionov E, Matrosov A. The evolution of tdl: conquering x64. URL: http://go.eset.com/us/resources/white-papers/The_Evolution_of_TDL. pdf; 2012.
22. Royal P. Alternative medicine: the malware analysts blue pill. USA: Black Hat; 2008.
23. Seshadri A, Luk M, Qu N, Perrig A. Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: ACM SIGOPS Operating Systems Review, vol. 41. ACM; 2007. p. 335–50.
24. Shinagawa T, Eiraku H, Tanimoto K, Omote K, Hasegawa S, Horie T, et al. Bitvisor: a thin hypervisor for enforcing i/o device security. In: VEE’09. ACM; 2009. p. 121–30.
25. Silicon Realms. Armadillo. URL: http://www.siliconrealms.com/armadillo. php; 2012.
26. Srivastava A, Giffin J. Efficient monitoring of untrusted kernel-mode execution. In: NDSS’11; 2011.
27. TIS Committee. Tool interface standard (tis) executable and linking format (elf) specification version 1.2; 1995.
28. Wang Z, Jiang X, Cui W, Ning P. Countering kernel rootkits with lightweight hook protection. In: CCS’09. ACM; 2009. p. 545–54.
29. Wikipedia. Pentium fdiv bug. URL: http://en.wikipedia.org/wiki/Pentium_ FDIV_bug; 2012.
30. Willems C, Holz T, Freiling F. Toward automated dynamic malware analysis using cwsandbox. IEEE Security & Privacy; 2007: 32–9.
31. Yan L, Jayachandra M, Zhang M, Yin H. V2e: combing hardware virtualization and software emulation for transparent and extensible malware analysis. In: VEE’12. ACM; 2012. to appear.