Improving antivirus accuracy with hypervisor assisted analysis

Authors:
Daniel Quist;Lorie Liebrock;Joshua Neil
Affiliations:
New Mexico Tech, Socorro, USA and Los Alamos National Laboratory, Los Alamos, USA;New Mexico Tech, Socorro, USA;Los Alamos National Laboratory, Los Alamos, USA and University of New Mexico, Albuquerque, USA
Venue:
Journal in Computer Virology
Year:
2011

Citing 8
Cited 2

Testing malware detectors

ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
A comparison of software and hardware techniques for x86 virtualization

Proceedings of the 12th international conference on Architectural support for programming languages and operating systems
PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware

ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Analysis of the Intel Pentium's ability to support a secure virtual machine monitor

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Renovo: a hidden code extractor for packed executables

Proceedings of the 2007 ACM workshop on Recurring malcode
Ether: malware analysis via hardware virtualization extensions

Proceedings of the 15th ACM conference on Computer and communications security
Testing CPU emulators

Proceedings of the eighteenth international symposium on Software testing and analysis
A fistful of red-pills: how to automatically generate procedures to detect CPU emulators

WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies

Graph-based malware detection using dynamic analysis

Journal in Computer Virology
Improving malware classification: bridging the static/dynamic gap

Proceedings of the 5th ACM workshop on Security and artificial intelligence

Quantified Score

Hi-index	0.01

Visualization

Abstract

Modern malware protection systems bring an especially difficult problem to antivirus scanners. Simple obfuscation methods can diminish the effectiveness of a scanner significantly, often times rendering them completely ineffective. This paper outlines the usage of a hypervisor based deobfuscation engine that greatly improves the effectiveness of existing scanning engines. We have modified the Ether malware analysis framework to add the following features to deobfuscation: section and header rebuilding and automated kernel virtual address descriptor import rebuilding. Using these repair mechanisms we have shown as high as 45% improvement in the effectiveness of antivirus scanning engines.