Análise Transparente de Malware com Suporte por Hardware
Abstract
Dynamic analysis is one of the main techniques used for malware profiling, identification of features and development of countermeasures. Therefore, malware authors continuously seek for ways of preventing their code from running inside analysis environments to thwart detection. Besides, operating system improvements make their instrumenting for malware monitoring more difficult. Hence, hardware-assisted analysis approaches have been developed to overcome these issues. In this paper, we propose a low-overhead malware dynamic analysis system based on branch monitoring supported by hardware (Intel processor monitors), in order to accomplish the transparency required to prevent malware from identifying (and evading) monitoring.References
Appel, A. W. and Palsberg, J. (2003). Modern Compiler Implementation in Java. Cambridge University Press, New York, NY, USA, 2nd edition.
Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., and Vigna, G. (2010). Efficient detection of split personalities in malware. In NDSS 2010, 17th Annual Network and Distributed System Security Symposium, February 28th-March 3rd, 2010, San Diego, USA, San Diego, UNITED STATES.
Bruening, D., Zhao, Q., and Amarasinghe, S. (2012). Transparent dynamic instrumentation. In 8th ACM SIGPLAN/SIGOPS Conf. Virtual Execution Environments, VEE ’12, pages 133–144.
Carsten Willems, Ralf Hund, T. H. (2012). Cxpinspector: Hypervisor-based, hardware-assisted system monitoring. Technical report, Horst Görtz Institute for IT Security.
CERT.br (2015). Estatísticas do cert.br. http://www.cert.br/stats/incidentes/. Acessado em junho/2016.
Chen, X., Andersen, J., Mao, Z. M., Bailey, M., and Nazario, J. (2008). Towards an understanding of antivirtualization and anti-debugging behavior in modern malware. In 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN), pages 177–186.
Cheng, Y., Zhou, Z., Miao, Y., Ding, X., DENG, H., et al. (2014). Ropecker: A generic and practical approach for defending against rop attack. Network and Distributed System Security Symposium.
Deng, Z., Zhang, X., and Xu, D. (2013). Spider: Stealthy binary program instrumentation and debugging via hardware virtualization. In Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC ’13, pages 289–298, New York, NY, USA. ACM.
Dinaburg, A., Royal, P., Sharif, M., and Lee,W. (2008). Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS ’08, pages 51–62, New York, NY, USA. ACM.
FEBRABAN (2015). FEBRABAN dá dicas de segurança eletrônica. http://www.febraban.org.br/Noticias1.asp?id_texto=2758. Acessado em junho/2016.
Guarnieri, C. (2013). Cuckoo sandbox. http://www.cuckoosandbox.org/. Acessado em junho/ 2016.
Intel (2015). Intel vtune. https://software.intel.com/en-us/intel-vtune-amplifier-xe. Acessado em junho/2016.
Kompalli, S. (2014). Using existing hardware services for malware detection. In Security and Privacy Workshops (SPW), 2014 IEEE, pages 204–208.
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’05, pages 190–200, New York, NY, USA. ACM.
Martins, G. B., Souto, E., de Freitas, R., and Feitosa, E. (2014). Estruturas virtuais e diferenciação de vértices em grafos de dependência para detecção de malware metamórfico. Anais do SBSEG 2014.
Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., and Vigna, G. (2010). Efficient detection of split personalities in malware. In NDSS 2010, 17th Annual Network and Distributed System Security Symposium, February 28th-March 3rd, 2010, San Diego, USA, San Diego, UNITED STATES.
Bruening, D., Zhao, Q., and Amarasinghe, S. (2012). Transparent dynamic instrumentation. In 8th ACM SIGPLAN/SIGOPS Conf. Virtual Execution Environments, VEE ’12, pages 133–144.
Carsten Willems, Ralf Hund, T. H. (2012). Cxpinspector: Hypervisor-based, hardware-assisted system monitoring. Technical report, Horst Görtz Institute for IT Security.
CERT.br (2015). Estatísticas do cert.br. http://www.cert.br/stats/incidentes/. Acessado em junho/2016.
Chen, X., Andersen, J., Mao, Z. M., Bailey, M., and Nazario, J. (2008). Towards an understanding of antivirtualization and anti-debugging behavior in modern malware. In 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN), pages 177–186.
Cheng, Y., Zhou, Z., Miao, Y., Ding, X., DENG, H., et al. (2014). Ropecker: A generic and practical approach for defending against rop attack. Network and Distributed System Security Symposium.
Deng, Z., Zhang, X., and Xu, D. (2013). Spider: Stealthy binary program instrumentation and debugging via hardware virtualization. In Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC ’13, pages 289–298, New York, NY, USA. ACM.
Dinaburg, A., Royal, P., Sharif, M., and Lee,W. (2008). Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS ’08, pages 51–62, New York, NY, USA. ACM.
FEBRABAN (2015). FEBRABAN dá dicas de segurança eletrônica. http://www.febraban.org.br/Noticias1.asp?id_texto=2758. Acessado em junho/2016.
Guarnieri, C. (2013). Cuckoo sandbox. http://www.cuckoosandbox.org/. Acessado em junho/ 2016.
Intel (2015). Intel vtune. https://software.intel.com/en-us/intel-vtune-amplifier-xe. Acessado em junho/2016.
Kompalli, S. (2014). Using existing hardware services for malware detection. In Security and Privacy Workshops (SPW), 2014 IEEE, pages 204–208.
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’05, pages 190–200, New York, NY, USA. ACM.
Martins, G. B., Souto, E., de Freitas, R., and Feitosa, E. (2014). Estruturas virtuais e diferenciação de vértices em grafos de dependência para detecção de malware metamórfico. Anais do SBSEG 2014.
Published
2016-11-07
How to Cite
BOTACIN, Marcus; GEUS, Paulo Lício de; GRÉGIO, André.
Análise Transparente de Malware com Suporte por Hardware. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 16. , 2016, Niterói.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2016
.
p. 422-434.
DOI: https://doi.org/10.5753/sbseg.2016.19324.
