nEther: in-guest detection of out-of-the-guest malware analyzers

European Workshop on System Security Pub Date : 2011-04-10 DOI:10.1145/1972551.1972554

Gábor Pék, B. Bencsáth, L. Buttyán

{"title":"nEther: in-guest detection of out-of-the-guest malware analyzers","authors":"Gábor Pék, B. Bencsáth, L. Buttyán","doi":"10.1145/1972551.1972554","DOIUrl":null,"url":null,"abstract":"Malware analysis can be an efficient way to combat malicious code, however, miscreants are constructing heavily armoured samples in order to stymie the observation of their artefacts. Security practitioners make heavy use of various virtualization techniques to create sandboxing environments that provide a certain level of isolation between the host and the code being analysed. However, most of these are easy to be detected and evaded. The introduction of hardware assisted virtualization (Intel VT and AMD-V) made the creation of novel, out-of-the-guest malware analysis platforms possible. These allow for a high level of transparency by residing completely outside the guest operating system being examined, thus conventional in-memory detection scans are ineffective. Furthermore, such analyzers resolve the shortcomings that stem from inaccurate system emulation, in-guest timings, privileged operations and so on.\n In this paper, we introduce novel approaches that make the detection of hardware assisted virtualization platforms and out-of-the-guest malware analysis frameworks possible. To demonstrate our concepts, we implemented an application framework called nEther that is capable of detecting the out-of-the-guest malware analysis framework Ether [6].","PeriodicalId":302603,"journal":{"name":"European Workshop on System Security","volume":"30 7","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-04-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"71","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"European Workshop on System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1972551.1972554","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 71

Abstract

Malware analysis can be an efficient way to combat malicious code, however, miscreants are constructing heavily armoured samples in order to stymie the observation of their artefacts. Security practitioners make heavy use of various virtualization techniques to create sandboxing environments that provide a certain level of isolation between the host and the code being analysed. However, most of these are easy to be detected and evaded. The introduction of hardware assisted virtualization (Intel VT and AMD-V) made the creation of novel, out-of-the-guest malware analysis platforms possible. These allow for a high level of transparency by residing completely outside the guest operating system being examined, thus conventional in-memory detection scans are ineffective. Furthermore, such analyzers resolve the shortcomings that stem from inaccurate system emulation, in-guest timings, privileged operations and so on. In this paper, we introduce novel approaches that make the detection of hardware assisted virtualization platforms and out-of-the-guest malware analysis frameworks possible. To demonstrate our concepts, we implemented an application framework called nEther that is capable of detecting the out-of-the-guest malware analysis framework Ether [6].

查看原文本刊更多论文

nEther: guest内检测guest外恶意软件分析程序

恶意软件分析可以是对抗恶意代码的有效方法，然而，不法分子正在构建全副武装的样本，以阻碍对其工件的观察。安全从业人员大量使用各种虚拟化技术来创建沙箱环境，在主机和被分析的代码之间提供一定程度的隔离。然而，其中大多数很容易被发现和规避。硬件辅助虚拟化(Intel VT和AMD-V)的引入使得创建新颖的客户端外恶意软件分析平台成为可能。它们完全驻留在被检查的客户操作系统之外，从而实现了高度的透明性，因此传统的内存检测扫描是无效的。此外，这种分析器解决了由于不准确的系统仿真、来宾计时、特权操作等而产生的缺点。在本文中，我们介绍了新的方法，使检测硬件辅助虚拟化平台和客户端外恶意软件分析框架成为可能。为了演示我们的概念，我们实现了一个名为nEther的应用程序框架，它能够检测出客外恶意软件分析框架Ether[6]。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

European Workshop on System Security

自引率

0.00%

发文量