Advertisement

Detecting System Emulators

  • Thomas Raffetseder
  • Christopher Kruegel
  • Engin Kirda
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4779)

Abstract

Malware analysis is the process of determining the behavior and purpose of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques and removal tools. Security companies typically analyze unknown malware samples using simulated system environments (such as virtual machines or emulators). The reason is that these environments ease the analysis process and provide more control over executing processes. Of course, the goal of malware authors is to make the analysis process as difficult as possible. To this end, they can equip their malware programs with checks that detect whether their code is executing in a virtual environment, and if so, adjust the program’s behavior accordingly. In fact, many current malware programs already use routines to determine whether they are running in a virtualizer such as VMware.

The general belief is that system emulators (such as Qemu) are more difficult to detect than traditional virtual machines (such as VMware) because they handle all instructions in software. In this paper, we seek to answer the question whether this belief is justified. In particular, we analyze a number of possibilities to detect system emulators. Our results shows that emulation can be successfully detected, mainly because the task of perfectly emulating real hardware is complex. Furthermore, some of our tests also indicate that novel technologies that provide hardware support for virtualization (such as Intel Virtualization Technology) may not be as undetectable as previously thought.

Keywords

Virtual Machine Malicious Code Real Hardware Virtual Machine Monitor Intel Corporation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    VMware Inc. (2006), http://www.vmware.com/
  2. 2.
    Robin, J.S., Irvine, C.E.: Analysis of the Intel Pentium’s Ability to Support a Secure Virtual Machine Monitor. In: Proceedings of the 9th USENIX Security Symposium, Denver, Colorado, USA (August 14–17, 2000)Google Scholar
  3. 3.
    Rutkowska, J.: Red Pill... or how to detect VMM using (almost) one CPU instruction (2004), http://invisiblethings.org/papers/redpill.html
  4. 4.
    Classified by Symantec Corporation: W32.Toxbot.C (2007), http://www.symantec.com/security_response/writeup.jsp?docid=2005-063015-3130-99&tabid=2
  5. 5.
    Vasudevan, A., Yerraballi, R.: Cobra: Fine-grained Malware Analysis using Stealth Localized-Executions. In: IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2006)Google Scholar
  6. 6.
    Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware. In: EICAR. 15th Annual Conference of the European Institute for Computer Antivirus Research (2006)Google Scholar
  7. 7.
    Qemu - open source processor emulator (2006), http://fabrice.bellard.free.fr/qemu/
  8. 8.
    Popek, G.J., Goldberg, R.P.: Formal requirements for virtualizable third generation architectures. Communications of the ACM 17(7), 412–421 (1974)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Intel Corporation: Intel 64 and IA-32 Architectures Software Developer’s Manual vol. 3A: System Programming Guide, Part 1 (2006)Google Scholar
  10. 10.
    May, C.: Mimic: a fast system/370 simulator. In: Conference on Programming Language Design and Implementation - Papers of the Symposium on Interpreters and interpretive techniques (1987)Google Scholar
  11. 11.
    Bellard, F.: Qemu, a Fast and Portable Dynamic Translator. In: USENIX 2005 Annual Technical Conference, FREENIX (2005)Google Scholar
  12. 12.
    Bellard, F.: Qemu Accelerator Module (2006), http://fabrice.bellard.free.fr/qemu/qemu-accel.html
  13. 13.
    Intel Corporation: Intel 64 and IA-32 Architectures Software Developer’s Manual vol. 1: Basic Architecture (2006)Google Scholar
  14. 14.
    Intel Corporation: Intel 64 and IA-32 Architectures Software Developer’s Manual vol. 2B: Instruction Set Reference, N-Z (2006)Google Scholar
  15. 15.
    Intel Corporation: Intel 64 and IA-32 Architectures Software Developer’s Manual vol. 3B: System Programming Guide, Part 2 (2006)Google Scholar
  16. 16.
    Lang, J.: Personal Correspondence (2006)Google Scholar
  17. 17.
    Intel Corporation: Intel Pentium 4 Processor - Specification Update (2006)Google Scholar
  18. 18.
    Intel Corporation: Intel 64 and IA-32 Architectures Software Developer’s Manual vol. 2A: Instruction Set Reference, A-M (2006)Google Scholar
  19. 19.
    VirtualPC 2004 (build 528) detection (?) (2006), http://www.securityfocus.com/archive/1/445189
  20. 20.
    Intel Corporation: Using the RDTSC Instruction for Performance Monitoring (1997)Google Scholar
  21. 21.
    Intel Corporation: Intel Virtualization Technology Specification for the IA-32 Intel Architecture (2005)Google Scholar
  22. 22.
    Advanced Micro Devices, Inc.: AMD64 Architecture Programmer’s Manual vol. 2: System Programming (2006)Google Scholar
  23. 23.
    Advanced Micro Devices, Inc.: AMD I/O Virtualization Technology (IOMMU) Specification (2006)Google Scholar
  24. 24.
  25. 25.
    Zovi, D.D.: Hardware Virtualization Rootkits. In: BlackHat Briefings, USA (2006)Google Scholar
  26. 26.
    King, S.T., Chen, P.M., Wang, Y.M., Verbowski, C., Wang, H.J., Lorch, J.R.: SubVirt: Implementing malware with virtual machines. In: IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2006)Google Scholar
  27. 27.
    KVM: Kernel-based Virtual Machine (2007), http://kvm.sourceforge.net/
  28. 28.
    Christodorescu, M., Jha, S.: Static Analysis of Executables to Detect Malicious Patterns. In: Usenix Security Symposium (2003)Google Scholar
  29. 29.
    Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-aware Malware Detection. In: IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2005)Google Scholar
  30. 30.
    Kruegel, C., Robertson, W., Vigna, G.: Detecting Kernel-Level Rootkits Through Binary Analysis. In: Yew, P.-C., Xue, J. (eds.) ACSAC 2004. LNCS, vol. 3189, Springer, Heidelberg (2004)Google Scholar
  31. 31.
    Klein, T.: Scooby Doo - VMware Fingerprint Suite (2006), http://www.trapkit.de/research/vmm/scoopydoo/index.html
  32. 32.
    Garfinkel, T., Adams, K., Warfield, A., Franklin, J.: Compatibility is Not Transparency: VMM Detection Myths and Realities. In: Proceedings of the 11th Workshop on Hot Topics in Operating Systems (HotOS-XI) (May 2007)Google Scholar
  33. 33.
    Franklin, J., Luk, M., McCune, J.M., Seshadri, A., Perrig, A., van Doorn, L.: Remote Detection of Virtual Machine Monitors with Fuzzy Benchmarking. Carnegie Mellon CyLab (2007)Google Scholar
  34. 34.
    Ferrie, P.: Attacks on Virtual Machine Emulators. In: AVAR Conference, Auckland, Symantec Advanced Threat Research (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Thomas Raffetseder
    • 1
  • Christopher Kruegel
    • 1
  • Engin Kirda
    • 1
  1. 1.Secure Systems Lab, Technical University of ViennaAustria

Personalised recommendations