research-article

Ether: malware analysis via hardware virtualization extensions

Authors:

Artem Dinaburg,

Monirul Sharif,

Wenke LeeAuthors Info & Claims

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Pages 51 - 62

https://doi.org/10.1145/1455770.1455779

Published: 27 October 2008 Publication History

Abstract

Malware has become the centerpiece of most security threats on the Internet. Malware analysis is an essential technology that extracts the runtime behavior of malware, and supplies signatures to detection systems and provides evidence for recovery and cleanup. The focal point in the malware analysis battle is how to detect versus how to hide a malware analyzer from malware during runtime. State-of-the-art analyzers reside in or emulate part of the guest operating system and its underlying hardware, making them easy to detect and evade. In this paper, we propose a transparent and external approach to malware analysis, which is motivated by the intuition that for a malware analyzer to be transparent, it must not induce any side-effects that are unconditionally detectable by malware. Our analyzer, Ether, is based on a novel application of hardware virtualization extensions such as Intel VT, and resides completely outside of the target OS environment. Thus, there are no in-guest software components vulnerable to detection, and there are no shortcomings that arise from incomplete or inaccurate system

emulation. Our experiments are based on our study of obfuscation techniques used to create 25,000 recent malware samples. The results show that Ether remains transparent and defeats the obfuscation tools that evade existing approaches.

References

[1]

Anubis: Analyzing Unknown Binaries. http://anubis.seclab.tuwien.ac.at.

[2]

Armadillo. http://www.siliconrealms.com.

[3]

BitBlaze Binary Analysis Platform. http://bitblaze.cs.berkeley.edu.

[4]

DYNINST API. http://www.dyninst.org.

[5]

FileMon for Windows. http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx.

[6]

Intel Virtualization Technology. http://www.intel.com/technology/virtualization.

[7]

PEiD. http://www.peid.info.

[8]

PEiDSO. http://handlers.sans.org/jclausing/userdb.txt.

[9]

RegMon for Windows. http://technet.microsoft.com/en-us/sysinternals/bb896652.aspx.

[10]

Themida. http://www.oreans.com/themida.php.

[11]

VirtualPC. http://www.microsoft.com/windows/products/winfamily/virtualpc/.

[12]

VMWare. http://www.vmware.com.

[13]

Norman Sandbox Whitepaper. http://www.norman.com/documents/wp_sandbox.pdf, 2003.

[14]

AMD64 Architecture Programmer's Manual, Volume 2: System Programming, 2007.

[15]

TEMU: The BitBlaze Dynamic Analysis Component. http://bitblaze.cs.berkeley.edu/temu.html, 2007.

[16]

P. Bacher, T. Holz, M. Kotter, and G. Wicherski. Know your enemy: Tracking botnets. http://www.honeynet.org/papers/bots, 2005.

[17]

M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario. Automated Classification and Analysis of Internet Malware. In RAID, 2007.

Digital Library

[18]

P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In SOSP, pages 164--177, 2003.

Digital Library

[19]

U. Bayer, C. Kruegel, and E. Kirda. TTanalyze: A Tool for Analyzing Malware. In EICAR, pages 180--192, 2006.

[20]

F. Bellard. QEMU, a Fast and Portable Dynamic Translator. In ATEC, pages 41--41, 2005.

Digital Library

[21]

M. Bishop. Computer Security: Art and Science. Addison-Wesley Professional, 2003.

[22]

K. Borders, X. Zhao, and A. Prakash. Siren: Catching Evasive Malware (Short Paper). In S&P (Oakland), pages 78--85, 2006.

Digital Library

[23]

J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis. In CCS, 2007.

Digital Library

[24]

M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-Aware Malware Detection. In S&P (Oakland), pages 32--46, 2005.

Digital Library

[25]

M. Christodorescu, C. Kruegel, and S. Jha. Mining Specifications of Malicious Behavior. In ESEC/FSE, pages 5--14, 2007.

Digital Library

[26]

P. Ferrie. Attacks on Virtual Machine Emulators. Symantec Advanced Threat Research, 2006.

[27]

P. Ferrie. Attacks on More Virtual Machines. http://pferrie.tripod.com/papers/attacks2.pdf, 2007.

[28]

T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS, 2003.

[29]

G. Hunt and D. Brubacher. Detours: Binary Interception of Win32 Functions. In WINSYM, pages 135--143, 1999.

Digital Library

[30]

X. Jiang, X. Wang, and D. Xu. Stealthy Malware Detection Through VMM-Based "Out-of-the-Box" Semantic View Reconstruction. In CCS, pages 128--138, 2007.

Digital Library

[31]

X. Jiang, D. Xu, H. J. Wang, and E. H. Spafford. Virtual Playgrounds for Worm Behavior Investigation. In RAID, pages 1--21, 2005.

Digital Library

[32]

M.G. Kang, P. Poosankam, and H. Yin. Renovo: A Hidden Code Extractor for Packed Executables. In WORM, 2007.

Digital Library

[33]

C. Kruegel, W. Robertson, and G. Vigna. Detecting Kernel-Level Rootkits Through Binary Analysis. In ACSAC, pages 91--100, 2004.

Digital Library

[34]

L. Martignoni, M. Christodorescu, and S. Jha. OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In ACSAC, pages 431--441, 2007.

[35]

F. Perigaud. New Pill? http://cert.lexsi.com/weblog/index.php/2008/03/21/223-new-pill, 2008.

[36]

N. Provos and T. Holz. Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley Professional, Reading, 2007.

Digital Library

[37]

T. Ptacek. Side-Channel Detection Attacks Against Unauthorized Hypervisors. http://www.matasano.com/log/930/side-channel-detection-attacks-against-unauthorized-hypervisors/, 2007.

[38]

D. Quist and Valsmith. Covert Debugging: Circumventing Software Armoring. In Black Hat USA, 2007.

[39]

T. Raffetseder, C. Kruegel, and E. Kirda. Detecting System Emulators. In ISC, pages 1--18, 2007.

Digital Library

[40]

P. Royal, M. Halpin, D. Dagon, R. Edmonds, and W. Lee. PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In ACSAC, pages 289--300, 2006.

Digital Library

[41]

M. Sipser. Introduction to the Theory of Computation. International Thomson Publishing, 1996.

Digital Library

[42]

P. Szor. The Art of Computer Virus Research and Defense. Addison-Wesley Professional, 2005.

Digital Library

[43]

A. Vasudevan and R. Yerraballi. Stealth Breakpoints. In ACSAC, pages 381--392, 2005.

Digital Library

[44]

A. Vasudevan and R. Yerraballi. Cobra: Fine-grained Malware Analysis using Stealth Localized-executions. In S&P (Oakland), pages 264--279, 2006.

Digital Library

[45]

C. Wang and S. Ju. The Dilemma of Covert Channels Searching. In ICISC, pages 169--174, 2005.

Digital Library

[46]

Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. T. King. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In NDSS, 2006.

[47]

C. Willems, T. Holz, and F. Freiling. Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security and Privacy, 5(2), 2007.

Digital Library

[48]

H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow for malware detection and analysis. In CCS, 2007.

Digital Library

Cited By

Vouvoutsis VCasino FPatsakis C(2025)Beyond the sandbox: Leveraging symbolic execution for evasive malware classificationComputers & Security10.1016/j.cose.2024.104193149(104193)Online publication date: Feb-2025
https://doi.org/10.1016/j.cose.2024.104193
Yong Wong MValakuzhy KAhamad MBlough DMonrose F(2024)Understanding LLMs Ability to Aid Malware Analysts in Bypassing Evasion TechniquesCompanion Proceedings of the 26th International Conference on Multimodal Interaction10.1145/3686215.3690147(36-40)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3686215.3690147
Cosseron LRilling LSimonin MQuinson M(2024)Simulating the Network Environment of Sandboxes to Hide Virtual Machine Introspection PausesProceedings of the 17th European Workshop on Systems Security10.1145/3642974.3652280(1-7)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3642974.3652280
Show More Cited By

Index Terms

Ether: malware analysis via hardware virtualization extensions
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium

Automated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Emulating emulation-resistant malware
VMSec '09: Proceedings of the 1st ACM workshop on Virtual machine security

The authors of malware attempt to frustrate reverse engineering and analysis by creating programs that crash or otherwise behave differently when executed on an emulated platform than when executed on real hardware. In order to defeat such techniques ...
Assessment of Virtualization as a Sensor Technique
SADFE '10: Proceedings of the 2010 Fifth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering

The explosive growth of malware development and the increasing sophistication of malware behavior require thatsecurity researchers be on the lookout for new vectors of attacks. Drive-by-downloads are among the types of attacks that are onthe rise. To ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

October 2008

590 pages

ISBN:9781595938107

DOI:10.1145/1455770

General Chair:
Peng Ning
North Carolina State University, USA
,
Program Chairs:
Paul Syverson
Naval Research Laboratory, USA
,
Somesh Jha
University of Wisconsin, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS08

Sponsor:

CCS08: 15th ACM Conference on Computer and Communications Security 2008

October 27 - 31, 2008

Virginia, Alexandria, USA

Acceptance Rates

CCS '08 Paper Acceptance Rate 51 of 280 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

481
Total Citations
View Citations
3,733
Total Downloads

Downloads (Last 12 months)105
Downloads (Last 6 weeks)12

Reflects downloads up to 18 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Vouvoutsis VCasino FPatsakis C(2025)Beyond the sandbox: Leveraging symbolic execution for evasive malware classificationComputers & Security10.1016/j.cose.2024.104193149(104193)Online publication date: Feb-2025
https://doi.org/10.1016/j.cose.2024.104193
Yong Wong MValakuzhy KAhamad MBlough DMonrose F(2024)Understanding LLMs Ability to Aid Malware Analysts in Bypassing Evasion TechniquesCompanion Proceedings of the 26th International Conference on Multimodal Interaction10.1145/3686215.3690147(36-40)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3686215.3690147
Cosseron LRilling LSimonin MQuinson M(2024)Simulating the Network Environment of Sandboxes to Hide Virtual Machine Introspection PausesProceedings of the 17th European Workshop on Systems Security10.1145/3642974.3652280(1-7)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3642974.3652280
Sandborn MStoebner ZWeimer WForrest SDougherty RWhite JLeach K(2024)Reducing Malware Analysis Overhead With CoveringsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.334632821:4(4133-4146)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3346328
Feng CVon Der Assen JCeldran AMogicato RZermin AOk VBovet GStiller B(2024)SecBox: a Lightweight Data Mining Platform for Dynamic and Reproducible Malware Analysis2024 11th IEEE Swiss Conference on Data Science (SDS)10.1109/SDS60720.2024.00017(62-67)Online publication date: 30-May-2024
https://doi.org/10.1109/SDS60720.2024.00017
Hu YLi SXue WZhao YWen Y(2024)CarePlus: A general framework for hardware performance counter based malware detection under system resource competitionComputers & Security10.1016/j.cose.2024.103884143(103884)Online publication date: Aug-2024
https://doi.org/10.1016/j.cose.2024.103884
Jenke TLiessem SPadilla EBruckschen L(2024)A Measurement Study on Interprocess Code Propagation of Malicious SoftwareDigital Forensics and Cyber Crime10.1007/978-3-031-56583-0_18(264-282)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56583-0_18
Cheng BLeal EZhang HMing JCalandrino JTroncoso C(2023)On the feasibility of malware unpacking via hardware-assisted loop profilingProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620656(7481-7498)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620656
Faruki PBhan RJain VBhatia SEl Madhoun NPamula R(2023)A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection FrameworksInformation10.3390/info1407037414:7(374)Online publication date: 30-Jun-2023
https://doi.org/10.3390/info14070374
Sato MOmori TYamauchi TTaniguchi H(2023)Memory Analysis Based Estimation of Hook Point by Virtual Machine MonitorInternational Journal of Networking and Computing10.15803/ijnc.13.2_27313:2(273-286)Online publication date: 2023
https://doi.org/10.15803/ijnc.13.2_273
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents