Lightweight Examination of DLL Environments in Virtual Machines to Detect Malware

Proceedings of the 4th ACM International Workshop on Security in Cloud Computing Pub Date : 2016-05-30 DOI:10.1145/2898445.2898456

Xiongwei Xie, Weichao Wang

{"title":"Lightweight Examination of DLL Environments in Virtual Machines to Detect Malware","authors":"Xiongwei Xie, Weichao Wang","doi":"10.1145/2898445.2898456","DOIUrl":null,"url":null,"abstract":"Since it becomes increasingly difficult to trick end users to install and run executable files from unknown sources, attackers refer to stealthy ways such as manipulation of DLL (Dynamic Link Library) files to compromise user computers. In this paper, we propose to develop mechanisms that allow the hypervisor to conduct lightweight examination of DLL files and their running environment in guest virtual machines. Different from the approaches that focus on static analysis of the DLL API calling graphs, our mechanisms conduct continuous examination of their running states. In this way, malicious manipulations to DLL files that happen after they are loaded into memory can also be detected. In order to maintain non-intrusive monitoring and reduce the impacts on VM performance, we avoid examinations of the complete DLL file contents but focus on the parameters such as the relative virtual addresses (RVA) of the functions. We have implemented our approach in Xen and conducted experiments with more than 100 malware of different types. The experiment results show that our approach can effectively detect the malware with very low increases in overhead at guest VMs.","PeriodicalId":187535,"journal":{"name":"Proceedings of the 4th ACM International Workshop on Security in Cloud Computing","volume":"26 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 4th ACM International Workshop on Security in Cloud Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2898445.2898456","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

Since it becomes increasingly difficult to trick end users to install and run executable files from unknown sources, attackers refer to stealthy ways such as manipulation of DLL (Dynamic Link Library) files to compromise user computers. In this paper, we propose to develop mechanisms that allow the hypervisor to conduct lightweight examination of DLL files and their running environment in guest virtual machines. Different from the approaches that focus on static analysis of the DLL API calling graphs, our mechanisms conduct continuous examination of their running states. In this way, malicious manipulations to DLL files that happen after they are loaded into memory can also be detected. In order to maintain non-intrusive monitoring and reduce the impacts on VM performance, we avoid examinations of the complete DLL file contents but focus on the parameters such as the relative virtual addresses (RVA) of the functions. We have implemented our approach in Xen and conducted experiments with more than 100 malware of different types. The experiment results show that our approach can effectively detect the malware with very low increases in overhead at guest VMs.

查看原文本刊更多论文

在虚拟机中检测恶意软件的DLL环境的轻量级检查

由于欺骗最终用户安装和运行来自未知来源的可执行文件变得越来越困难，攻击者采用诸如操纵动态链接库(DLL)文件之类的隐蔽方法来危害用户计算机。在本文中，我们建议开发一种机制，允许管理程序对客户虚拟机中的DLL文件及其运行环境进行轻量级检查。与专注于静态分析DLL API调用图的方法不同，我们的机制对其运行状态进行连续检查。通过这种方式，还可以检测到在DLL文件加载到内存后发生的恶意操作。为了保持非侵入式监控并减少对VM性能的影响，我们避免检查完整的DLL文件内容，而是关注函数的相对虚拟地址(RVA)等参数。我们已经在Xen中实现了我们的方法，并对100多种不同类型的恶意软件进行了实验。实验结果表明，我们的方法可以有效地检测恶意软件，并且来宾虚拟机的开销增加很小。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 4th ACM International Workshop on Security in Cloud Computing

自引率

0.00%

发文量