Journal in Computer Virology

, Volume 7, Issue 2, pp 121–131 | Cite as

Improving antivirus accuracy with hypervisor assisted analysis

  • Daniel Quist
  • Lorie Liebrock
  • Joshua Neil
Original Paper


Modern malware protection systems bring an especially difficult problem to antivirus scanners. Simple obfuscation methods can diminish the effectiveness of a scanner significantly, often times rendering them completely ineffective. This paper outlines the usage of a hypervisor based deobfuscation engine that greatly improves the effectiveness of existing scanning engines. We have modified the Ether malware analysis framework to add the following features to deobfuscation: section and header rebuilding and automated kernel virtual address descriptor import rebuilding. Using these repair mechanisms we have shown as high as 45% improvement in the effectiveness of antivirus scanning engines.


Virtual Machine Address Space Virtual Address Dynamic Link Library Virtual Machine Image 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Microsoft portable executable and common object file format specification. Specification Document, March 2008.
  2. 2.
    Antivirus Comparatives - proactive/retrospective test (on demand detection of virus/malware). Online Report, November 2009.
  3. 3.
    Hispasec Systems, Virustotal: Free online virus and malware scan. Company Webpage, November 2009.
  4. 4.
    Manually walking a stack. Webpage, November 2009.
  5. 5.
    Adams, K., Agesen, O.: A comparison of software and hardware techniques for x86 virtualization. In: ASPLOS-XII: Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 2–13. ACM, New York, NY, USA (2006)Google Scholar
  6. 6.
    Borello J.-M., Mé L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4, 211–220 (2008)CrossRefGoogle Scholar
  7. 7.
    Cachaalany, E.: An attempt to reconstruct the call stack. Hex-Rays Blog, September 2009.
  8. 8.
    Christodorescu, M., Jha, S.: Testing malware detectors. In: Proceedings of the 2004 ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2004), pp. 34–44. ACM Press, Boston, MA, USA (2004)Google Scholar
  9. 9.
    Damballa. Risk calculator. Company Webpage, November 2009.
  10. 10.
    Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware analysis via hardware virtualization extensions. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2008)Google Scholar
  11. 11.
    Eckelberry, A.: The growth of malware. Blog Post (Jan. 2008).
  12. 12.
    Ferrie, P.: Attacks on virtual machine emulators. Symantec Advanced Threat Research Whitepapers (2007)Google Scholar
  13. 13.
    Ferrie, P.: Anti-unpacker tricks - part one. Virus Bulletin (2008)Google Scholar
  14. 14.
    Gigapede, Ollydump 2.21. Webpage (2009)Google Scholar
  15. 15.
    Gutmann, P.: The commercial malware industry. In: Defcon 15, Las Vegas, NV (2007)Google Scholar
  16. 16.
    Hajda, A.: Winexe. Online Download, November 2009.
  17. 17.
    Harbour, N.: Advanced software armoring and polymorphic kung-fu. In: Defcon 16, Las Vegas, NV (2008)Google Scholar
  18. 18.
    Josse, S.: Secure and advanced unpacking using computer emulation. J. Comput. Virol. (3), 221–236 (2007)Google Scholar
  19. 19.
    Kang, M.G., Poosankam, P., Yin, H.: Renovo: A hidden code extractor for packed executables. In: Proceedings of the 5th ACM Workshop on Recurring Malcode (WORM) (2007)Google Scholar
  20. 20.
    Lauradoux, C.: Detecting virtual rootkits with cover channels. In: Proceedings of the 17th EICAR Conference, Laval, France, EICAR (2008)Google Scholar
  21. 21.
    MackT, Import reconstructor 1.7, March 2008,
  22. 22.
    Martignoni, L., Christorescu, M., Jha, S.: Omniunpack: Fast, generic, and safe unpacking of malware. In: Proceedings of the 2007 Computer Security Applications Conference, pp. 431–441. Miami Beach, FL, USA (2007)Google Scholar
  23. 23.
    Martignoni, L., Paleari, R., Roglia, G.F., Bruschi, D.: Testing CPU emulators. In: Proceedings of the 2009 International Conference on Software Testing and Analysis (ISSTA), pp. 261–272. ACM, Chicago, IL, USA (2009)Google Scholar
  24. 24.
    Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A fistful of red-pills: how to automatically generate procedures to detect CPU emulators. In: Proceedings of the 3rd USENIX Workshop on Offensive Technologies (WOOT), ACM, Montreal, Canada (2009)Google Scholar
  25. 25.
    Quist, D., Smith, V.: Covert debugging: Circumventing software armoring. In: Blackhat USA, Las Vegas, NV (2007)Google Scholar
  26. 26.
    Robin, J.S., Irvine, C.E.: Analysis of the intel pentiums ability to support a secure virtual machine monitor. In: Proceedings of the 9th USENIX Security Symposium, Denver, CO (2000)Google Scholar
  27. 27.
    Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In: ACSAC, pp. 289–300 (2006)Google Scholar
  28. 28.
    Sparks, S., Butler, J.: Raising the bar for windows rootkit detection. Phrack, 11(63) (2005)Google Scholar
  29. 29.
    Stewart, J.: Ollybone: Semi-automatic unpacking on ia-32. In: Defcon 14, Las Vegas, NV (2006)Google Scholar

Copyright information

© U.S. Government 2010

Authors and Affiliations

  1. 1.New Mexico TechSocorroUSA
  2. 2.Los Alamos National LaboratoryLos AlamosUSA
  3. 3.University of New MexicoAlbuquerqueUSA

Personalised recommendations