research-article

Handling Anti-Virtual Machine Techniques in Malicious Software

Authors:

Jelena Mirkovic,

Abdulla AlwabelAuthors Info & Claims

ACM Transactions on Privacy and Security (TOPS), Volume 21, Issue 1

Article No.: 2, Pages 1 - 31

https://doi.org/10.1145/3139292

Published: 06 December 2017 Publication History

Abstract

Malware analysis relies heavily on the use of virtual machines (VMs) for functionality and safety. There are subtle differences in operation between virtual and physical machines. Contemporary malware checks for these differences and changes its behavior when it detects a VM presence. These anti-VM techniques hinder malware analysis. Existing research approaches to uncover differences between VMs and physical machines use randomized testing, and thus cannot guarantee completeness.

In this article, we propose a detect-and-hide approach, which systematically addresses anti-VM techniques in malware. First, we propose cardinal pill testing—a modification of red pill testing that aims to enumerate the differences between a given VM and a physical machine through carefully designed tests. Cardinal pill testing finds five times more pills by running 15 times fewer tests than red pill testing. We examine the causes of pills and find that, while the majority of them stem from the failure of VMs to follow CPU specifications, a small number stem from under-specification of certain instructions by the Intel manual. This leads to divergent implementations in different CPU and VM architectures. Cardinal pill testing successfully enumerates the differences that stem from the first cause. Finally, we propose VM Cloak—a WinDbg plug-in which hides the presence of VMs from malware. VM Cloak monitors each execute malware command, detects potential pills, and at runtime modifies the command’s outcomes to match those that a physical machine would generate. We implemented VM Cloak and verified that it successfully hides VM presence from malware.

References

[1]

0xEBFE. 2013. Fooled by Andromeda. Retrieved from http://0xebfe.net/blog/2013/03/30/fooled-by-andromeda/.

[2]

R. Bajcsy, T. Benzel, M. Bishop, R. Braden, C. E. Brodley, S. Fahmy, S. Floyd, W. Hardaker, A. D. Joseph, G. Kesidis, K. N. Levitt, R. Lindell, P. Liu, D. Miller, R. Mundy, C. Neuman, R. Ostrenga, V. Paxson, P. A. Porras, C. Rosenberg, D. J. Tygar, S. Sastry, D. F. Sterne, and S. F. Wu. 2004. Cyber defense technology networking and evaluation. Commun. ACM 47, 3 (2004), 58--61.

Digital Library

[3]

Davide Balzarotti, Marco Cova, Cristoph Karlberger, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2010. Efficient detection of split personalities in malware. In Networking and Distributed Systems Symposium (NDSS). ACM, 20--26.

[4]

Paul Barford and Mike Blodgett. 2007. Toward botnet mesocosms. In HotBots. USENIX, Berkeley, CA,1.

Digital Library

[5]

Ulrich Bayer, Christopher Kruegel, and Engin Kirda. 2006. TTAnalyze: A tool for analyzing malware. In 14th Annual EICAR Conference.

[6]

Fabrice Bellard. 2005. QEMU, A fast and portable dynamic translator. In USENIX Annual Technical Conference (ATC).

Digital Library

[7]

Rodrigo Rubira Branco, Gabriel Negreira Barbosa, and Pedro Drimel Neto. 2012. Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies. In Black Hat.

[8]

Xu Chen, Jon Andersen, Z.Morley Mao, Michael Bailey, and Jose Nazario. 2008. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In DSN.

[9]

Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008. Ether: Malware analysis via hardware virtualization extensions. In Computer and Communications Security.

Digital Library

[10]

Peter Ferrie. 2006. Attacks on virtual machine emulators. Symantec Security Response (2006). Retrieved from https://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf.

[11]

Peter Ferrie. 2008. Anti-Unpacker Tricks. Retrieved from http://vpn23.homelinux.org/Anti-Unpackers.pdf.

[12]

ISC Tech Georgia. 2017. Open Malware. Retrieved from http://oc.gtisc.gatech.edu/.

[13]

Hex-Rays. 2016. IDA: multi-processor Disassembler and Debugger. Retrieved from https://www.hex-rays.com/products/ida/.

[14]

Intel. 2016. Intel 64 and IA-32 Architectures Software Developers Manuals. Retrieved from http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html.

[15]

John P. John, Alexander Moshchuk, Steven D. Gribble, and Arvind Krishnamurthy. 2009. Studying spamming botnets using botlab. In Networked Systems Design and Implementation.

Digital Library

[16]

Min Gyung Kang, Heng Yin, Steve Hanna, Stephen McCamant, and Dawn Song. 2009. Emulating emulation-resistant malware. In VMSec.

Digital Library

[17]

Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2011. BareBox: Efficient malware analysis on bare-metal. In Annual Computer Security Applications Conference. 403--412.

Digital Library

[18]

Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. BareCloud: Bare-metal analysis-based evasive malware detection. In USENIX Security.

Digital Library

[19]

Christian Kreibich, Nicholas Weaver, Chris Kanich, Weldong Cui, and Vern Paxson. 2011. GQ: Practical containment for measuring modern malware systems. In Internet Measurement Conference (IMC).

Digital Library

[20]

Kevin P. Lawton. 1996. Bochs: A portable PC emulator for unix/X. Linux Journal 29es (1996), 7.

Digital Library

[21]

Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. 2011. Detecting environment-sensitive malware. In Research in Attacks, Intrusions and Defenses.

[22]

Lorenzo Martignoni, Stephen McCamant, Pongsin Poosankam, Dawn Song, and Petros Maniatis. 2012. Path-exploration lifting: Hi-fi tests for lo-fi emulators. In ASPLOS. 337--348.

Digital Library

[23]

Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. Testing CPU emulators. In International Symposium on Software Testing and Analysis.

Digital Library

[24]

Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2010. Testing system virtual machines. In International Symposium on Software Testing and Analysis.

Digital Library

[25]

Najmeh Miramirkhani, Mahathi Priya Appini, Nick Nikiforakis, and Michalis Polychronakis. 2017. Spotless sandboxes: Evading malware analysis systems using wear-and-tear artifacts. In IEEE Symposium on Security and Privacy.

[26]

Zhenyu Ning and Fengwei Zhang. 2017. Ninja: Towards transparent tracing and debugging on ARM. In 26th USENIX Security Symposium (USENIX Security 17).

Digital Library

[27]

Gábor Pék, Boldizsár Bencsáth, and Levente Buttyán. 2011. nEther: In-guest detection of out-of-the-guest malware analyzers. In EuroSec.

Digital Library

[28]

Hao Shi, Abdulla Alwabel, and Jelena Mirkovic. 2014. Cardinal pill testing of system virtual machines. In USENIX Security 14.

Digital Library

[29]

Hao Shi and Jelena Mirkovic. 2017. Hiding debuggers from malware with apate. In ACM Symposium on Applied Computing.

Digital Library

[30]

Michael Sikorski and Andrew Honig. 2012. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press.

Digital Library

[31]

Chengyu Song, Paul Royal, and Wenke Lee. 2012. Impeding automated malware analysis with environment-sensitive malware. In HotSec.

Digital Library

[32]

Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam, and Prateek Saxena. 2008. BitBlaze: A new approach to computer security via binary analysis. In ICISS.

Digital Library

[33]

Chad Spensky, Hongyi Hu, and Kevin Leach. 2016. LO-PHI: Low-observable physical host instrumentation for malware analysis. In Network and Distributed System Security Symposium.

[34]

Ming-Kung Sun, Mao-Jie Lin, Michael Chang, Chi-Sung Laih, and Hui-Tang Lin. 2011. Malware virtualization-resistant behavior detection. In ICPADS.

Digital Library

[35]

Basis Technology. 2016. The Sleuth Kit. Retrieved from http://www.sleuthkit.org/.

[36]

Virus Total. 2017. VirusTotal Web Site. Retrieved from https://www.virustotal.com/en/.

[37]

Amit Vasudevan and Ramesh Yerraballi. 2005. Stealth breakpoints. In ACSAC.

Digital Library

[38]

A. Vasudevan and R. Yerraballi. 2006. Cobra: Fine-grained malware analysis using stealth localized-executions. In Security and Privacy.

Digital Library

[39]

Lok-Kwong Yan, Manjukumar Jayachandra, Mu Zhang, and Heng Yin. 2012. V2E: Combining hardware virtualization and software emulation for transparent and extensible malware analysis. In Virtual Execution Environments Conference (VEE).

Digital Library

[40]

Oleh Yuschuk. 2013. OllyDbg. Retrieved from http://www.ollydbg.de.

[41]

Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. 2015. Using hardware features for increased debugging transparency. In Security and Privacy Symposium.

Digital Library

Cited By

Guri M(2023)CLOUDOSCOPE: Detecting Anti-Forensic Malware using Public Cloud EnvironmentsProceedings of the 2023 European Interdisciplinary Cybersecurity Conference10.1145/3590777.3590793(100-107)Online publication date: 14-Jun-2023
https://dl.acm.org/doi/10.1145/3590777.3590793
Tay VLi XMashima DNg BCao PKalbarczyk ZIyer R(2023)Taxonomy of Fingerprinting Techniques for Evaluation of Smart Grid Honeypot Realism2023 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm)10.1109/SmartGridComm57358.2023.10333917(1-7)Online publication date: 31-Oct-2023
https://doi.org/10.1109/SmartGridComm57358.2023.10333917
Barr-Smith FBlazytko TBaker RMartinovic ITorres-Arias SMelara MSimon L(2022)ExorcistProceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3560835.3564550(51-61)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3560835.3564550
Show More Cited By

Index Terms

Handling Anti-Virtual Machine Techniques in Malicious Software
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
  2. Software and application security
    1. Software reverse engineering

Recommendations

Anti-virtual machines and emulations

Virtual Machines are important infrastructural tools for malware analysis. They provide safe yet accurate way of evaluating real life behavior and impact of any executable code, thus providing a better understanding of obfuscated or non conventional ...
A BLP-Based Access Control Mechanism for the Virtual Machine System
ICYCS '08: Proceedings of the 2008 The 9th International Conference for Young Computer Scientists

The virtual machine system such as Xen provides a security isolation between virtual machines (VM) running on the virtual machine monitor (VMM). With the wide application of the virtualization technology, VMM is expected to not only provide the simple ...
Hiding "real" machine from attackers and malware with a minimal virtual machine monitor
SecureComm '08: Proceedings of the 4th international conference on Security and privacy in communication netowrks

With security researchers relying on the virtual machine (VM) in their analysis work, malware has a significant stake in detecting the presence of a VM to avoid executing its vicious behavior. But hiding a VM from malware by building a transparent ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Privacy and Security

ACM Transactions on Privacy and Security Volume 21, Issue 1

February 2018

148 pages

ISSN:2471-2566

EISSN:2471-2574

DOI:10.1145/3171591

Editor:
David Basin
ETH Zurich, Switzerland

Issue’s Table of Contents

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2017

Accepted: 01 September 2017

Revised: 01 June 2017

Received: 01 September 2016

Published in TOPS Volume 21, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Department of Homeland Security, and Space and Naval Warfare Systems Center, San Diego

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
664
Total Downloads

Downloads (Last 12 months)39
Downloads (Last 6 weeks)5

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Guri M(2023)CLOUDOSCOPE: Detecting Anti-Forensic Malware using Public Cloud EnvironmentsProceedings of the 2023 European Interdisciplinary Cybersecurity Conference10.1145/3590777.3590793(100-107)Online publication date: 14-Jun-2023
https://dl.acm.org/doi/10.1145/3590777.3590793
Tay VLi XMashima DNg BCao PKalbarczyk ZIyer R(2023)Taxonomy of Fingerprinting Techniques for Evaluation of Smart Grid Honeypot Realism2023 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm)10.1109/SmartGridComm57358.2023.10333917(1-7)Online publication date: 31-Oct-2023
https://doi.org/10.1109/SmartGridComm57358.2023.10333917
Barr-Smith FBlazytko TBaker RMartinovic ITorres-Arias SMelara MSimon L(2022)ExorcistProceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3560835.3564550(51-61)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3560835.3564550
Nunes MBurnap PReinecke PLloyd K(2022)Bane or BoonJournal of Information Security and Applications10.1016/j.jisa.2022.10320267:COnline publication date: 27-Jun-2022
https://dl.acm.org/doi/10.1016/j.jisa.2022.103202
Vurdelja IBlažić IBojić DDrašković D(2021)An automated framework for runtime analysis of malicious executables on LinuxTelfor Journal10.5937/telfor2102087V13:2(87-91)Online publication date: 2021
https://doi.org/10.5937/telfor2102087V
Trajanovski TZhang N(2021)An Automated and Comprehensive Framework for IoT Botnet Detection and Analysis (IoT-BDA)IEEE Access10.1109/ACCESS.2021.31101889(124360-124383)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3110188
Lee YSuk JLee D(2021)Bypassing Anti-Analysis of Commercial Protector Methods Using DBI ToolsIEEE Access10.1109/ACCESS.2020.30488489(7655-7673)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2020.3048848
D’Elia DCoppa EPalmaro FCavallaro L(2020)On the Dissection of Evasive MalwareIEEE Transactions on Information Forensics and Security10.1109/TIFS.2020.297655915(2750-2765)Online publication date: 12-Mar-2020
https://dl.acm.org/doi/10.1109/TIFS.2020.2976559
Vurdelja IBlazic IBojic DDraskovic D(2020)A framework for automated dynamic malware analysis for Linux2020 28th Telecommunications Forum (TELFOR)10.1109/TELFOR51502.2020.9306520(1-4)Online publication date: 24-Nov-2020
https://doi.org/10.1109/TELFOR51502.2020.9306520
Sato MTaniguchi HNakamura R(2020)Virtual Machine Monitor-based Hiding Method for Access to Debug Registers2020 Eighth International Symposium on Computing and Networking (CANDAR)10.1109/CANDAR51075.2020.00036(209-214)Online publication date: Nov-2020
https://doi.org/10.1109/CANDAR51075.2020.00036
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents