Advertisement

Journal in Computer Virology

, Volume 6, Issue 3, pp 181–195 | Cite as

Measuring virtual machine detection in malware using DSD tracer

  • Boris Lau
  • Vanja Svajcer
Eicar 2008 extended version

Abstract

Most methods for detecting that a process is running inside a virtual environment such as VMWare or Microsoft Virtual PC are well known and the paper briefly discusses the most common methods measured during the research. The measurements are conducted over a representative set of malicious files, with special regards to packer code. The results are broken down with respect to malware category, families and various commercial and non-commercial packers and presented in a graphical and tabular format. The extent of virtual machine detection problem is estimated based on the results of the research. The main subject of the paper is measurement of actual usage of Virtual machine detection methods in current malware. The research uses DSD Tracer, a dynamic-static tracing system based on an instrumented Bochs virtual machine. The system employs tracing to produce traces of execution that can be scripted or used as a basis for disassembly/emulation in IDA Pro when combined with a customised version of IDAEmul (emulator). The paper gives an overview of design and usage of DSD Tracer.

Keywords

Virtual Machine False Positive Detection Virtual Address Packed Sample Automate Analysis System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Lau, B.: DSD-Tracer: experimentation and implementation. In: Virus Bulletin 2007 Conference proceedings (2007)Google Scholar
  2. 2.
    Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis (2006)Google Scholar
  3. 3.
    Bayer, U.: TTAnalyze: a tool for analyzing Malware. Master’s Thesis, Technical University of Vienna (2005)Google Scholar
  4. 4.
    Vasudevan, A., Yerraballi, R.: Cobra: fine-grained Malware analysis using stealth localized-executions. In: IEEE and Signature Generation of Exploits on Commodity Software (2006)Google Scholar
  5. 5.
    Willems, A., Holz, C., Freiling, T., Felix A.: Toward Automated Dynamic Malware Analysis Using CWSandbox. http://www.cwsandbox.org/ (2007)
  6. 6.
    Simplified Wrapper and Interface Generator. http://www.swig.org/ (2000)
  7. 7.
    Natvig, K.: Norman sandbox white paper. http://download.norman.no/whitepapers/whitepaper_Norman_SandBox.pdf (2003)
  8. 8.
    Vidstrom, A.: Evading the Norman SandBox Analyzer. BugTraq bulletin (2007)Google Scholar
  9. 9.
    Eagle, C.: Attacking Packed Code with IDA Pro. http://ida-x86emu.sourceforge.net, Black-hat Asia (2006)
  10. 10.
    Bellard, F.: QEMU Emulator User Documentation # GDB usage. http://fabrice.bellard.free.fr/qemu/qemu-doc.html#SEC46 (2005)
  11. 11.
    Ormandy, T.: An empirical study into the security exposure to hosts of hostile virtualized environments, CanSecWest (2007)Google Scholar
  12. 12.
    Ferrie, P.: Attacks on virtual machine emulators (2007)Google Scholar
  13. 13.
    Xu M., et al.: ReTrace: Collecting execution trace with virtual machine deterministic replay (2007)Google Scholar
  14. 14.
    Herrod, S.: The amazing VM record/replay feature in VMware Workstation 6. http://blogs.vmware.com/sherrod/2007/04/the_amazing_vm_.html (2007)
  15. 15.
    Technology, O.: Themida overview. http://www.oreans.com/themida.php (2007)
  16. 16.
    Malyugin, V.: Application debugging with Record/Replay. http://stackframe.blogspot.com/2007/09/application-debugging-with-recordreplay.html (2007)
  17. 17.
    Malyugin, V.: VMware forum thread. http://communities.vmware.com/thread/104296 (2007)
  18. 18.
    Callanan, S.: Terminate-on-error patch for GDBcli. http://sourceware.org/ml/gdb-patches/2005-08/msg00120.html (2005)
  19. 19.
  20. 20.
    Rutkowska, J.: Red Pill. http://invisiblethings.org/papers/redpill.html (2004)
  21. 21.
  22. 22.
  23. 23.
  24. 24.
    Liston, T., Skoudis, E.: On the cutting edge: thwarting virtual machine detection. http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf (2006)
  25. 25.
    O’Dea, H.: Trapping worms in a virtual net. In: Virus Bulletin 2004 Conference Proceedings (2004)Google Scholar
  26. 26.
    Intel.: Intel architecture software developer’s manual, vol 2: instruction set reference manual. http://developer.intel.com/design/pentiumii/manuals/243191.htm (2003)
  27. 27.

Copyright information

© Springer-Verlag France 2008

Authors and Affiliations

  1. 1.Sophoslabs, Sophos PlcThe PentagonAbingdonUK

Personalised recommendations