1 / 31

Measuring virtual machine detection in malware using DSD tracer

Measuring virtual machine detection in malware using DSD tracer. Boris Lau, Vanja Svajcer Sophoslabs , Journal in Computer Virology, 2008 報告者: 張逸文. Outline. Introduction Virtual machine detection methods Methodology of our study with DSD-Tracer Results Conclusion.

wyanet
Télécharger la présentation

Measuring virtual machine detection in malware using DSD tracer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Measuring virtual machine detection in malware using DSD tracer Boris Lau, VanjaSvajcer Sophoslabs, Journal in Computer Virology, 2008 報告者:張逸文

  2. Outline • Introduction • Virtual machine detection methods • Methodology of our study with DSD-Tracer • Results • Conclusion

  3. Introduction(#1) • Virtual machine technology is first implemented by IBM • More attention from virus writers & computer security researchers • If in VM,malware will behave like a normal program • If the proportion is > 0.1%,developing an environment to successfully analyze VM-aware malware is important

  4. Introduction(#2) • The most common security use cases with VM • Software vulnerability research • Malware analysis • Honeypots

  5. Virtual machine detection methods(#1) • If VM is detected, the malware will • stop its execution or • launch a specially crafted payload • Zlob Trojans • IRC bots • Executable packers

  6. Virtual machine detection methods(#2) • Detection of running under MS virtual PC using VPC communication channel • Communication between guest OS & VMM • Exceptions due to opcode:0x0f, 0x3f / 0x0f, 0xc7, 0xc8 • Call different VMM services:0x07, 0x0B

  7. Invalid instruction VPC communication channel detection

  8. Virtual machine detection methods(#3) • Detection of running under VMware using VMWare control API • VMWare backdoor communication • guest ↔ host communication • IN instruction • port 0x5658 • eax:0x564D5868(VMXh) • ebx :function number

  9. Anti-VMWare prevention virtual machine initialization settings

  10. Virtual machine detection methods(#4) • Redpill(using SIDT, SGDT or SLDT) • SxxTx86instruction • Return the contests of the sensitive register • IDT in VMWare is 0xffXXXXXX • IDT in Virtual PC is 0xe8XXXXXX • Compare with 0xd0 • Invalid in multi processor system

  11. Redpill

  12. Virtual machine detection methods(#5) • SMSW VMWare detection • Store Machine Specific Word instruction • Return 16-bit result • 32 bits register(16-bit undefined + 16-bit result) • In VMWare, the top 16-bits doesn’t change

  13. SMSWVMWaredetectioncode

  14. Methodology of our study with DSD-Tracer(#1) • DSD-Tracer • identify obfuscation packers • dynamic & static analysis

  15. Methodology of our study with DSD-Tracer(#2)

  16. Methodology of our study with DSD-Tracer(#3) • Dynamic component • Instructions decoded before its execution • All CPU registers • Reads / writes to virtual / physical memory • Interrupts / exceptions generated • Instrumented virtual machine • Low-level information

  17. Methodology of our study with DSD-Tracer(#4) • Static component • C++ interface • Python Script • Match known techniques for detecting VM • Automatic replication harness • Web-based automatic replication harness

  18. Methodology of our study with DSD-Tracer(#5) • Case study:DSD-Tracer on Themida • Analyzing Themida by traditional debugger/static technique is troublesome • recording memory-io • “dump” sample in static environment

  19. Methodology of our study with DSD-Tracer(#6) • Justification for using DSD-Tracer • Coverage of packed samples • Low-level accuracy • Circumventing armour techniques • Mitigating factors in using DSD-Tracer • No Bochs detect techniques in any sample • 4 samples/hour, 5 samples from each set of packed file • 85% of Themida samples with VM-aware techniques

  20. Methodology of our study with DSD-Tracer(#7) • Proof of concept experiment for DSD-Tracer on VMware • Cross-verified multiple dynamic analysis • Implemented on VMware Workstation 6 • Invisible breakpoint • GDB script for printing the assembly execution trace in user mode

  21. Results(#1) • VMdetectioninpackers • 193differentpackers,400packedsamples • Overall VM detection rate is 1.15% • Themidaaccountingfor1.03% • ExeCryptoraccountingfor0.15% • EncPk:custom packers

  22. Results(#2) • VM detection in malware families • Static analysis rules – disassembly • Dynamic analysis rules – Sophos virus engine emulation • 2 million known malicious files • A large set of knows clean files • VM-aware samples < 1% • Method breakdown(Table 1.) • Family breakdown (Table 2.) • Dial/FlashL

  23. Results(#3)

  24. Results(#4) • VMWare backdoor detection method  50% VPC illegal instruction detection method • VPC illegal instruction detectionmethod  93% VMWarebackdoor detection method

  25. Results(#5) • Fig. 7 VMWare backdoor detection in 2007

  26. Results(#6) • Fig. 8 VPC backdoor detections in 2007

  27. Conclusion • Combination of dynamic and static analysis is better • 2.13%VM-aware samples

  28. Q&A

  29. Appendix • VMWare backdoor I/O port • On the Cutting Edge:ThwartingVirtual MachineDetection • Trappingworminavirtualnet • VM、Virtual PC、Bochs比較 • http://hi.baidu.com/%CC%FA%D0%AC%B9%C3%C4%EF/blog/item/085cc609b215f3226b60fba5.html 大陸版 • http://www.osnews.com/story/1054 國外版

  30. Thanks ~

More Related