Skip to main content
SpringerLink
Log in
Book cover

International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

DIMVA 2010: Detection of Intrusions and Malware, and Vulnerability Assessment pp 41–60Cite as

dAnubis – Dynamic Device Driver Analysis Based on Virtual Machine Introspection

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6201))

Abstract

In the escalating arms race between malicious code and security tools designed to analyze it, detect it or mitigate its impact, malicious code running inside the operating system kernel provides an extremely powerful tool. Kernel-level code can introduce hard to detect backdoors, provide stealth by hiding files, processes or other resources and in general tamper with operating system code and data in arbitrary ways.

Under Windows, kernel-level malicious code typically takes the form of a device driver. In this work, we present dAnubis, a system for the real-time, dynamic analysis of malicious Windows device drivers. dAnubis can automatically provide a high-level, human-readable report of a driver’s behavior on the system. We applied our system to a dataset of over 400 malware samples. The results of this analysis shed some light on the behavior of kernel-level malicious code that is in the wild today.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: Insights into current malware behavior. In: 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET (2009)

    Google Scholar 

  2. Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In: 22nd Annual Computer Security Applications Conf., ACSAC (2006)

    Google Scholar 

  3. Kang, M.G., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables. In: ACM Workshop on Recurring malcode, WORM (2007)

    Google Scholar 

  4. Rolles, R.: Unpacking virtualization obfuscators. In: 3rd USENIX Workshop on Offensive Technologies, WOOT (2009)

    Google Scholar 

  5. Moser, A., Kruegel, C., Kirda, E.: Limits of Static Analysis for Malware Detection. In: 23rd Annual Computer Security Applications Conference, ACSAC (2007)

    Google Scholar 

  6. Bayer, U.: Ttanalyze a tool for analyzing malware. Master’s thesis, Vienna University of Technology (2005)

    Google Scholar 

  7. Willems, C., Holz, T., Freiling, F.: Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security and Privacy 2(5) (2007)

    Google Scholar 

  8. Bailey, M., Oberheide, J., Andersen, J., Mao, Z., Jahanian, F., Nazario, J.: Automated Classification and Analysis of Internet Malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  9. Bayer, U., Milani Comparetti, P., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, Behavior-Based Malware Clustering. In: Network and Distributed System Security Symposium, NDSS (2009)

    Google Scholar 

  10. Rieck, K., Holz, T., Willems, C., Duessel, P., Laskov, P.: Learning and classification of malware behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  11. Jacob, G., Debar, H., Filiol, E.: Malware behavioral detection by attribute-automata using abstraction from platform and language. In: Recent Advances in Intrusion Detection, RAID (2009)

    Google Scholar 

  12. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Network and Distributed Systems Security Symposium, NDSS (2003)

    Google Scholar 

  13. Sharif, M.I., Lee, W., Cui, W., Lanzi, A.: Secure in-vm monitoring using hardware virtualization. In: ACM conference on Computer and communications security, CCS (2009)

    Google Scholar 

  14. Quynh, N.A., Takefuji, Y.: Towards a tamper-resistant kernel rootkit detector. In: SAC 2007: Proceedings of the 2007 ACM symposium on Applied computing, pp. 276–283. ACM, New York (2007)

    Chapter  Google Scholar 

  15. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  16. Wang, Z., Jiang, X., Cui, W., Wang, X.: Countering persistent kernel rootkits through systematic hook discovery. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 21–38. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  17. Yin, H., Liang, Z., Song, D.: Hookfinder: Identifying and understanding malware hooking behaviors. In: Network and Distributed Systems Security Symposium, NDSS (2008)

    Google Scholar 

  18. Lanzi, A., Sharif, M., Lee, W.: K-tracer: A system for extracting kernel malware behavior. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (2009)

    Google Scholar 

  19. Riley, R., Jiang, X., Xu, D.: Multi-aspect profiling of kernel rootkit behavior. In: EuroSys 2009: Proceedings of the 4th ACM European conference on Computer systems, pp. 47–60. ACM, New York (2009)

    Chapter  Google Scholar 

  20. Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. Journal in Computer Virology 2(1), 67–77 (2006)

    Article  Google Scholar 

  21. Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Reading (2005)

    Google Scholar 

  22. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based “out-of-the-box” semantic view reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (2007)

    Google Scholar 

  23. Bellard, F.: Qemu, a fast and portable dynamic translator. In: Proceedings of the annual conference on USENIX Annual Technical Conference, p. 41. USENIX Association (2005)

    Google Scholar 

  24. Orwick, P., Smith, G.: Developing Drivers with the Microsoft Windows Driver Foundation. Microsoft Press, Redmond (2007)

    Google Scholar 

  25. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Network and Distributed Systems Security Symposium, NDSS (2005)

    Google Scholar 

  26. Sharif, M.I., Lanzi, A., Giffin, J.T., Lee, W.: Impeding malware analysis using conditional code obfuscation. In: Network and Distributed System Security, NDSS (2008)

    Google Scholar 

  27. Russinovich, M.: Filemon (2010), http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

  28. Beck, D., Vo, B., Verbowski, C.: Detecting stealth software with strider ghostbuster. In: Proceedings of the 2005 International Conference on Dependable Systems and Networks, pp. 368–377 (2005)

    Google Scholar 

  29. Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Vmm-based hidden process detection and identification using lycosid. In: VEE 2008: Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pp. 91–100. ACM, New York (2007)

    Google Scholar 

  30. Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: ATEC 2006: Proceedings of the annual conference on USENIX 2006 Annual Technical Conference (2006)

    Google Scholar 

  31. Xuan, C., Copeland, J., Beyah, R.: Toward revealing kernel malware behavior in virtual execution environments. In: Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection (2009)

    Google Scholar 

  32. Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In: Proceedings of the 18th USENIX Security Symposium (2009)

    Google Scholar 

  33. Garfinkel, T., Adams, K., Warfield, A., Franklin, J.: Compatibility is not transparency: Vmm detection myths and realities. In: Proceedings of the 11th Workshop on Hot Topics in Operating Systems (2007)

    Google Scholar 

  34. Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In: USENIX Workshop on Offensive Technologies, WOOT (2009)

    Google Scholar 

  35. Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in malware. In: Network and Distributed System Security, NDSS (2010)

    Google Scholar 

  36. Saxena, P., Sekar, R., Iyer, M.R., Puranik, V.: A practical technique for containment of untrusted plug-ins. Technical Report SECLAB08-01, Stony Brook University (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Secure Systems Lab, Vienna University of Technology,  

    Matthias Neugschwandtner, Christian Platzer, Paolo Milani Comparetti & Ulrich Bayer

Authors
  1. Matthias Neugschwandtner
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian Platzer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Paolo Milani Comparetti
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ulrich Bayer
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. International Computer Science Institute, Berkeley, USA

    Christian Kreibich

  2. Research Establishment for Applied Science (FGAN), Research Institute for Communication, Information Processing and Ergonomics (FKIE), Wachtberg, Germany

    Marko Jahnke

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Neugschwandtner, M., Platzer, C., Comparetti, P.M., Bayer, U. (2010). dAnubis – Dynamic Device Driver Analysis Based on Virtual Machine Introspection. In: Kreibich, C., Jahnke, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2010. Lecture Notes in Computer Science, vol 6201. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14215-4_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-14215-4_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-14214-7

  • Online ISBN: 978-3-642-14215-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation