Transparent Detection of Computer Malware using Virtualization
نویسندگان
چکیده
In this paper, I explore malware detection using a combination of virtualizationand storage-based intrusion detection techniques. By monitoring disk activity of a virtual machine and correlating that activity to knowledge of the filesystem structure on the virtual machine’s disk, an intrusion detection system can react to file changes immediately. Such a system can use a traditional antivirus scanner from the virtual machine monitor on just those files modified within the virtual machine, avoiding the effect of rootkits and other mechanisms that can obscure the view of software operating within the virtual machine, while minimizing unnecessary scanning. I have implemented such a detection system by modifying KVM for Linux, and have used it to observe and scan a Windows XP virtual machine with a FAT32 filesystem. The system was able to efficiently detect malware infections.
منابع مشابه
IntroLib: Efficient and transparent library call introspection for malware forensics
Dynamic malware analysis aims at revealing malware’s runtime behavior. To evade analysis, advanced malware is able to detect the underlying analysis tool (e.g., one based on emulation.) On the other hand, existing malware-transparent analysis tools incur significant performance overhead, making them unsuitable for live malware monitoring and forensics. In this paper, we present IntroLib, a prac...
متن کاملHubble: Transparent and Extensible Malware Analysis by Combining Hardware Virtualization and Software Emulation
Malware is actively making efforts to evade analysis. In particular, anti-emulation techniques have been deployed to defeat fine-grained dynamic analysis. Our evaluation of 150 real world malware samples revealed that 14 could not be analyze by any of three popular emulation based analysis tools, Anubis [1], CWSandbox [3] and TEMU [5]. While these samples operated normally in KVM using hardware...
متن کاملThe Role Of Modeling And Simulation In Developing Secure Computing Environments
Simulating the operation of a computer’s applications can provide models of the computations, which can be used to detect malware. The need for a new approach to detecting malware arises from both the power and stealth of the current threat. In the last decade, attackers have shifted to using complex, multi-phase attacks based on subtle social engineering tactics coupled with advanced cryptogra...
متن کاملTransparent System Introspection in Support of Analyzing Stealthy Malware
The proliferation of malware has increased dramatically and seriously degraded the privacy of users and the integrity of hosts. Millions of unique malware samples appear every year, which has driven the development of a vast array of analysis tools. Malware analysis is often performed with the assistance of virtualization or emulation for rapid deployment. Malware samples are run in an instrume...
متن کاملDetecting System Emulators
Malware analysis is the process of determining the behavior and purpose of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques and removal tools. Security companies typically analyze unknown malware samples using simulated system environments (such as virtual machines or emulators). The reason is ...
متن کامل