Skip to main content
SpringerLink
Log in

Improving antivirus accuracy with hypervisor assisted analysis

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Modern malware protection systems bring an especially difficult problem to antivirus scanners. Simple obfuscation methods can diminish the effectiveness of a scanner significantly, often times rendering them completely ineffective. This paper outlines the usage of a hypervisor based deobfuscation engine that greatly improves the effectiveness of existing scanning engines. We have modified the Ether malware analysis framework to add the following features to deobfuscation: section and header rebuilding and automated kernel virtual address descriptor import rebuilding. Using these repair mechanisms we have shown as high as 45% improvement in the effectiveness of antivirus scanning engines.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Microsoft portable executable and common object file format specification. Specification Document, March 2008. http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx

  2. Antivirus Comparatives - proactive/retrospective test (on demand detection of virus/malware). Online Report, November 2009. http://www.av-comparatives.org/comparativesreviews/main-tests

  3. Hispasec Systems, Virustotal: Free online virus and malware scan. Company Webpage, November 2009. http://www.virustotal.com/

  4. Manually walking a stack. Webpage, November 2009. http://msdn.microsoft.com/en-us/library/cc267826.aspx

  5. Adams, K., Agesen, O.: A comparison of software and hardware techniques for x86 virtualization. In: ASPLOS-XII: Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 2–13. ACM, New York, NY, USA (2006)

  6. Borello J.-M., Mé L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4, 211–220 (2008)

    Article  Google Scholar 

  7. Cachaalany, E.: An attempt to reconstruct the call stack. Hex-Rays Blog, September 2009. http://hexblog.com/2009/09/an_attempt_to_reconstruct_the.html

  8. Christodorescu, M., Jha, S.: Testing malware detectors. In: Proceedings of the 2004 ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2004), pp. 34–44. ACM Press, Boston, MA, USA (2004)

  9. Damballa. Risk calculator. Company Webpage, November 2009. http://www.damballa.com/overview/risk.php

  10. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware analysis via hardware virtualization extensions. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2008)

  11. Eckelberry, A.: The growth of malware. Blog Post (Jan. 2008). http://sunbeltblog.blogspot.com/2008/01/growth-of-malware.html

  12. Ferrie, P.: Attacks on virtual machine emulators. Symantec Advanced Threat Research Whitepapers (2007)

  13. Ferrie, P.: Anti-unpacker tricks - part one. Virus Bulletin (2008)

  14. Gigapede, Ollydump 2.21. Webpage (2009)

  15. Gutmann, P.: The commercial malware industry. In: Defcon 15, Las Vegas, NV (2007)

  16. Hajda, A.: Winexe. Online Download, November 2009. http://eol.ovh.org/winexe/

  17. Harbour, N.: Advanced software armoring and polymorphic kung-fu. In: Defcon 16, Las Vegas, NV (2008)

  18. Josse, S.: Secure and advanced unpacking using computer emulation. J. Comput. Virol. (3), 221–236 (2007)

  19. Kang, M.G., Poosankam, P., Yin, H.: Renovo: A hidden code extractor for packed executables. In: Proceedings of the 5th ACM Workshop on Recurring Malcode (WORM) (2007)

  20. Lauradoux, C.: Detecting virtual rootkits with cover channels. In: Proceedings of the 17th EICAR Conference, Laval, France, EICAR (2008)

  21. MackT, Import reconstructor 1.7, March 2008, http://www.woodmann.com/collaborative/tools/index.php/ImpREC

  22. Martignoni, L., Christorescu, M., Jha, S.: Omniunpack: Fast, generic, and safe unpacking of malware. In: Proceedings of the 2007 Computer Security Applications Conference, pp. 431–441. Miami Beach, FL, USA (2007)

  23. Martignoni, L., Paleari, R., Roglia, G.F., Bruschi, D.: Testing CPU emulators. In: Proceedings of the 2009 International Conference on Software Testing and Analysis (ISSTA), pp. 261–272. ACM, Chicago, IL, USA (2009)

  24. Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A fistful of red-pills: how to automatically generate procedures to detect CPU emulators. In: Proceedings of the 3rd USENIX Workshop on Offensive Technologies (WOOT), ACM, Montreal, Canada (2009)

  25. Quist, D., Smith, V.: Covert debugging: Circumventing software armoring. In: Blackhat USA, Las Vegas, NV (2007)

  26. Robin, J.S., Irvine, C.E.: Analysis of the intel pentiums ability to support a secure virtual machine monitor. In: Proceedings of the 9th USENIX Security Symposium, Denver, CO (2000)

  27. Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In: ACSAC, pp. 289–300 (2006)

  28. Sparks, S., Butler, J.: Raising the bar for windows rootkit detection. Phrack, 11(63) (2005)

  29. Stewart, J.: Ollybone: Semi-automatic unpacking on ia-32. In: Defcon 14, Las Vegas, NV (2006)

Download references

Author information

Authors and Affiliations

  1. New Mexico Tech, Socorro, USA

    Daniel Quist & Lorie Liebrock

  2. Los Alamos National Laboratory, Los Alamos, USA

    Daniel Quist & Joshua Neil

  3. University of New Mexico, Albuquerque, USA

    Joshua Neil

Authors
  1. Daniel Quist
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lorie Liebrock
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Joshua Neil
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel Quist.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Quist, D., Liebrock, L. & Neil, J. Improving antivirus accuracy with hypervisor assisted analysis. J Comput Virol 7, 121–131 (2011). https://doi.org/10.1007/s11416-010-0142-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-010-0142-4

Keywords

Search

Navigation