Abstract
There are many analysis techniques in order to analyze malicious codes. However, recently malicious codes often evade detection using stealthy obfuscation techniques, and attack computing systems. We propose an enhanced dynamic binary instrumentation using hardware-assisted virtualization technology. As a machine-level analyzer, our system can be isolated from almost the whole threats of malware, and provides single step analysis environment. Proposed system also supports rapid system call analysis environment. We implement our malware analysis system (referred as MAS) on the KVM hypervisor with Intel VT-x virtualization support. Our experiments with benchmarks show that the proposed system provides efficient analysis environment with low overhead.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Idika, N., Mathur, A.P.: A Survey of Malware Detection Techniques. Research, Dept. of Computer Science, Purdue Univ. (2007)
Carvey, H.: Malware analysis for windows administrators. Digital Investigation 2, 19–22 (2005)
Pfleeger, C.P., Pfleeger, S.L.: Security in Computing. Prentice Hall, Englewood Cliffs (2003)
Garfinkel, T., Adams, K., Warfield, A., Franklin, J.: Compatibility is Not Transparency: VMM Detection Myths and Realities. In: Proc. of 11th Workshop on Hot Topics in Operating Systems (2007)
Ferrie, P.: Anti-unpacker tricks. In: CARO Workshop (2008)
Ferrie, P.: Attacks on Virtual Machines. In: AVAR Conf., pp. 128–143 (2006)
Listion, T., Skoudis, E.: On the Cutting Edge: Thwarting Virtual Machine Detection. SANS Internet Storm Center (2006)
Chen, X., Andersen, J., Mao, Z.M., Bailey, M., Nazario, J.: Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Morden Malware. In: DSN 2008, pp. 117–186 (2008)
Xu, M., Malyugin, V., Sheldon, J., Venkitachalam, G., Weissman, B.: ReTrace: Collecting Execution Trace with Virtual Machine Deterministic Replay. In: Proc. of 2007 Workshop on Modeling, Benchmarking and Simulation (2007)
BitBlaze Binary Analysis Platform, http://bitblaze.cs.berkeley.edu
Kang, M.G., Poosankam, P., Yin, H.: Renovo: A Hidden Code Extractor for Packed Executables. In: Proc. of WORM (2007)
Jiang, X., Wang, X., Xu, D.: Stealthy Malware Detection Through VMM-Based Out-of-the-Box Semantic View Reconstruction. In: Proc. of CCS, pp. 128–138 (2007)
Bayer, U., Kruegel, C., Kirda, E.: TTanalyze: A Tool for Analyzing Malware. In: Proc. of EICAR, pp.180–192 (2006)
Instrumentation Framework for building dynamic analysis tools, http://valgrind.org
A Dynamic Binary Instrumentation Tool, http://pintool.org
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware Analysis via Hardware Virtualization Extensions. In: Proc. of ACM CCS (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kim, T., Kim, I., Min, C., Eom, Y.I. (2010). MAS: Malware Analysis System Based on Hardware-Assisted Virtualization Technology. In: Kim, Th., Fang, Wc., Khan, M.K., Arnett, K.P., Kang, Hj., Ślęzak, D. (eds) Security Technology, Disaster Recovery and Business Continuity. Communications in Computer and Information Science, vol 122. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17610-4_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-17610-4_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17609-8
Online ISBN: 978-3-642-17610-4
eBook Packages: Computer ScienceComputer Science (R0)