Measuring virtual machine detection in malware using DSD tracer
Download
Report
Transcript Measuring virtual machine detection in malware using DSD tracer
Boris Lau, Vanja Svajcer
Sophoslabs, Journal in Computer Virology, 2008
報告者:張逸文
Outline
Introduction
Virtual machine detection methods
Methodology of our study with DSD-Tracer
Results
Conclusion
2
Introduction(#1)
Virtual machine technology is first implemented by IBM
More attention from virus writers & computer security
researchers
If in VM,malware will behave like a normal program
If the proportion is > 0.1%,developing an environment
to successfully analyze VM-aware malware is important
3
Introduction(#2)
The most common security use cases with VM
Software vulnerability research
Malware analysis
Honeypots
4
Virtual machine detection methods(#1)
If VM is detected, the malware will
stop its execution or
launch a specially crafted payload
Zlob Trojans
IRC bots
Executable packers
5
Virtual machine detection methods(#2)
Detection of running under MS virtual PC using VPC
communication channel
Communication between guest OS & VMM
Exceptions due to opcode:0x0f, 0x3f / 0x0f, 0xc7, 0xc8
Call different VMM services: 0x07, 0x0B
6
Invalid instruction VPC communication channel detection
7
Virtual machine detection methods(#3)
Detection of running under VMware using VMWare
control API
VMWare backdoor communication
guest ↔ host communication
IN instruction
port 0x5658
eax:0x564D5868(VMXh)
ebx :function number
8
9
Anti-VMWare prevention virtual machine
initialization settings
10
Virtual machine detection methods(#4)
Redpill(using SIDT, SGDT or SLDT)
SxxT x86 instruction
Return the contests of the sensitive register
IDT in VMWare is 0xffXXXXXX
IDT in Virtual PC is 0xe8XXXXXX
Compare with 0xd0
Invalid in multi processor system
11
Redpill
12
Virtual machine detection methods(#5)
SMSW VMWare detection
Store Machine Specific Word instruction
Return 16-bit result
32 bits register(16-bit undefined + 16-bit result)
In VMWare, the top 16-bits doesn’t change
13
SMSW VMWare detection code
14
Methodology of our study with
DSD-Tracer(#1)
DSD-Tracer
identify obfuscation packers
dynamic & static analysis
15
Methodology of our study with
DSD-Tracer(#2)
16
Methodology of our study with
DSD-Tracer(#3)
Dynamic component
Instructions decoded before its execution
All CPU registers
Reads / writes to virtual / physical memory
Interrupts / exceptions generated
Instrumented virtual machine
Low-level information
17
Methodology of our study with
DSD-Tracer(#4)
Static component
C++ interface
Python Script
Match known techniques for detecting VM
Automatic replication harness
Web-based automatic replication harness
18
Methodology of our study with
DSD-Tracer(#5)
Case study:DSD-Tracer on Themida
Analyzing Themida by traditional debugger/static technique
is troublesome
recording memory-io
“dump” sample in static environment
19
Methodology of our study with
DSD-Tracer(#6)
Justification for using DSD-Tracer
Coverage of packed samples
Low-level accuracy
Circumventing armour techniques
Mitigating factors in using DSD-Tracer
No Bochs detect techniques in any sample
4 samples/hour, 5 samples from each set of packed file
85% of Themida samples with VM-aware techniques
20
Methodology of our study with
DSD-Tracer(#7)
Proof of concept experiment for DSD-Tracer on VMware
Cross-verified multiple dynamic analysis
Implemented on VMware Workstation 6
Invisible breakpoint
GDB script for printing the assembly execution trace in user
mode
21
Results(#1)
VM detection in packers
193 different packers, 400 packed samples
Overall VM detection rate is 1.15%
Themida accounting for 1.03%
ExeCryptor accounting for 0.15%
EncPk:custom packers
22
Results(#2)
VM detection in malware families
Static analysis rules – disassembly
Dynamic analysis rules – Sophos virus engine emulation
2 million known malicious files
A large set of knows clean files
VM-aware samples < 1%
Method breakdown(Table 1.)
Family breakdown (Table 2.)
Dial/FlashL
23
Results(#3)
24
Results(#4)
VMWare backdoor detection method 50% VPC illegal
instruction detection method
VPC illegal instruction detection method 93%
VMWare backdoor detection method
25
Results(#5)
Fig. 7 VMWare backdoor detection in 2007
26
Results(#6)
Fig. 8 VPC backdoor detections in 2007
27
Conclusion
Combination of dynamic and static analysis is better
2.13% VM-aware samples
28
Q&A
29
Appendix
VMWare backdoor I/O port
On the Cutting Edge:Thwarting Virtual MachineDetection
Trapping worm in a virtual net
VM、Virtual PC、Bochs比較
http://hi.baidu.com/%CC%FA%D0%AC%B9%C3%C4%E
F/blog/item/085cc609b215f3226b60fba5.html 大陸版
http://www.osnews.com/story/1054 國外版
30
Thanks ~
31