BareBox: efficient malware analysis on bare-metal

Asia-Pacific Computer Systems Architecture Conference Pub Date : 2011-12-05 DOI:10.1145/2076732.2076790

Dhilung Kirat, G. Vigna, Christopher Krügel

{"title":"BareBox: efficient malware analysis on bare-metal","authors":"Dhilung Kirat, G. Vigna, Christopher Krügel","doi":"10.1145/2076732.2076790","DOIUrl":null,"url":null,"abstract":"Present-day malware analysis techniques use both virtualized and emulated environments to analyze malware. The reason is that such environments provide isolation and system restoring capabilities, which facilitate automated analysis of malware samples. However, there exists a class of malware, called VM-aware malware, which is capable of detecting such environments and then hide its malicious behavior to foil the analysis. Because of the artifacts introduced by virtualization or emulation layers, it has always been and will always be possible for malware to detect virtual environments.\n The definitive way to observe the actual behavior of VM-aware malware is to execute them in a system running on real hardware, which is called a \"bare-metal\" system. However, after each analysis, the system must be restored back to the previous clean state. This is because running a malware program can leave the system in an instable/insecure state and/or interfere with the results of a subsequent analysis run. Most of the available state-of-the-art system restore solutions are based on disk restoring and require a system reboot. This results in a significant downtime between each analysis. Because of this limitation, efficient automation of malware analysis in bare-metal systems has been a challenge.\n This paper presents the design, implementation, and evaluation of a malware analysis framework for bare-metal systems that is based on a fast and rebootless system restore technique. Live system restore is accomplished by restoring the entire physical memory of the analysis operating system from another, small operating system that runs outside of the target OS. By using this technique, we were able to perform a rebootless restore of a live Windows system, running on commodity hardware, within four seconds. We also analyzed 42 malware samples from seven different malware families, that are known to be \"silent\" in a virtualized or emulated environments, and all of them showed their true malicious behavior within our bare-metal analysis environment.","PeriodicalId":397003,"journal":{"name":"Asia-Pacific Computer Systems Architecture Conference","volume":"19 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-12-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"93","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Asia-Pacific Computer Systems Architecture Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2076732.2076790","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 93

Abstract

Present-day malware analysis techniques use both virtualized and emulated environments to analyze malware. The reason is that such environments provide isolation and system restoring capabilities, which facilitate automated analysis of malware samples. However, there exists a class of malware, called VM-aware malware, which is capable of detecting such environments and then hide its malicious behavior to foil the analysis. Because of the artifacts introduced by virtualization or emulation layers, it has always been and will always be possible for malware to detect virtual environments. The definitive way to observe the actual behavior of VM-aware malware is to execute them in a system running on real hardware, which is called a "bare-metal" system. However, after each analysis, the system must be restored back to the previous clean state. This is because running a malware program can leave the system in an instable/insecure state and/or interfere with the results of a subsequent analysis run. Most of the available state-of-the-art system restore solutions are based on disk restoring and require a system reboot. This results in a significant downtime between each analysis. Because of this limitation, efficient automation of malware analysis in bare-metal systems has been a challenge. This paper presents the design, implementation, and evaluation of a malware analysis framework for bare-metal systems that is based on a fast and rebootless system restore technique. Live system restore is accomplished by restoring the entire physical memory of the analysis operating system from another, small operating system that runs outside of the target OS. By using this technique, we were able to perform a rebootless restore of a live Windows system, running on commodity hardware, within four seconds. We also analyzed 42 malware samples from seven different malware families, that are known to be "silent" in a virtualized or emulated environments, and all of them showed their true malicious behavior within our bare-metal analysis environment.

查看原文本刊更多论文

BareBox:高效的裸机恶意软件分析

当前的恶意软件分析技术使用虚拟化和仿真环境来分析恶意软件。原因是这样的环境提供了隔离和系统恢复功能，这有助于对恶意软件样本进行自动分析。然而，存在一类恶意软件，称为虚拟机感知恶意软件，它能够检测到这样的环境，然后隐藏其恶意行为以挫败分析。由于虚拟化或仿真层引入的工件，恶意软件一直并且将永远有可能检测到虚拟环境。观察虚拟机感知恶意软件的实际行为的确定方法是在运行在真实硬件上的系统中执行它们，这被称为“裸机”系统。但是，在每次分析之后，必须将系统恢复到以前的干净状态。这是因为运行恶意软件程序会使系统处于不稳定/不安全状态和/或干扰后续分析运行的结果。大多数可用的最先进的系统恢复解决方案都基于磁盘恢复，并且需要重新启动系统。这导致每次分析之间的停机时间很长。由于这种限制，在裸机系统中有效地自动化恶意软件分析一直是一个挑战。本文介绍了基于快速和无重启系统恢复技术的裸机系统恶意软件分析框架的设计、实现和评估。实时系统恢复是通过从另一个运行在目标操作系统之外的小型操作系统恢复分析操作系统的整个物理内存来完成的。通过使用这种技术，我们能够在4秒内对运行在普通硬件上的实时Windows系统执行无重启恢复。我们还分析了来自7个不同恶意软件家族的42个恶意软件样本，这些恶意软件在虚拟或模拟环境中被认为是“沉默的”，所有这些恶意软件在裸机分析环境中都表现出了真正的恶意行为。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Asia-Pacific Computer Systems Architecture Conference

自引率

0.00%

发文量