Compatibility is not transparency: VMM detection myths and realities
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Ether: malware analysis via hardware virtualization extensions
Proceedings of the 15th ACM conference on Computer and communications security
ACM Transactions on Information and System Security (TISSEC)
Otherworld: giving applications a chance to survive OS kernel crashes
Proceedings of the 5th European conference on Computer systems
Return-oriented rootkits: bypassing kernel code integrity protection mechanisms
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
A fistful of red-pills: how to automatically generate procedures to detect CPU emulators
WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies
CacheMind: Fast performance recovery using a virtual machine monitor
DSNW '10 Proceedings of the 2010 International Conference on Dependable Systems and Networks Workshops (DSN-W)
Fast and correct performance recovery of operating systems using a virtual machine monitor
Proceedings of the 7th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
nEther: in-guest detection of out-of-the-guest malware analyzers
Proceedings of the Fourth European Workshop on System Security
Large-Scale analysis of malware downloaders
DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Behavioural detection with API call-grams to identify malicious PE files
Proceedings of the First International Conference on Security of Internet of Things
AndroTotal: a flexible, scalable toolbox and service for testing mobile malware detectors
Proceedings of the Third ACM workshop on Security and privacy in smartphones & mobile devices
Hi-index | 0.00 |
Present-day malware analysis techniques use both virtualized and emulated environments to analyze malware. The reason is that such environments provide isolation and system restoring capabilities, which facilitate automated analysis of malware samples. However, there exists a class of malware, called VM-aware malware, which is capable of detecting such environments and then hide its malicious behavior to foil the analysis. Because of the artifacts introduced by virtualization or emulation layers, it has always been and will always be possible for malware to detect virtual environments. The definitive way to observe the actual behavior of VM-aware malware is to execute them in a system running on real hardware, which is called a "bare-metal" system. However, after each analysis, the system must be restored back to the previous clean state. This is because running a malware program can leave the system in an instable/insecure state and/or interfere with the results of a subsequent analysis run. Most of the available state-of-the-art system restore solutions are based on disk restoring and require a system reboot. This results in a significant downtime between each analysis. Because of this limitation, efficient automation of malware analysis in bare-metal systems has been a challenge. This paper presents the design, implementation, and evaluation of a malware analysis framework for bare-metal systems that is based on a fast and rebootless system restore technique. Live system restore is accomplished by restoring the entire physical memory of the analysis operating system from another, small operating system that runs outside of the target OS. By using this technique, we were able to perform a rebootless restore of a live Windows system, running on commodity hardware, within four seconds. We also analyzed 42 malware samples from seven different malware families, that are known to be "silent" in a virtualized or emulated environments, and all of them showed their true malicious behavior within our bare-metal analysis environment.