IntroLib: Efficient and transparent library call introspection for malware forensics

Dynamic malware analysis aims at revealing malware’s runtime behavior. To evade analysis, advanced malware is able to detect the underlying analysis tool (e.g., one based on emulation.) On the other hand, existing malware-transparent analysis tools incur signicant performance overhead, making them unsuitable for live malware monitoring and forensics. In this paper, we present IntroLib, a practical tool that traces user-level library calls made by malware with low overhead and high transparency. IntroLib is based on hardware virtualization and resides outside of the guest virtual machine where the malware runs. Our evaluation of an IntroLib prototype with 93 real-world malware samples shows that IntroLib is immune to emulation and API hooking detection by malware, uncovers more semantic information about malware behavior than system call tracing, and incurs low overhead (< 15% in all-but-one test case) in performance benchmark testing.

[1]  Xuxian Jiang,et al.  "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots , 2007, RAID.

[2]  Seung-Soon Im,et al.  Tool interface standard (TIS) executable and linking format (ELF) specification , 1995 .

[3]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[4]  Abhinav Srivastava,et al.  Efficient Monitoring of Untrusted Kernel-Mode Execution , 2011, NDSS.

[5]  Shigeru Chiba,et al.  BitVisor: a thin hypervisor for enforcing i/o device security , 2009, VEE '09.

[6]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[7]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[8]  Samuel T. King,et al.  MAVMM: Lightweight and Purpose Built VMM for Malware Analysis , 2009, 2009 Annual Computer Security Applications Conference.

[9]  Christopher Krügel,et al.  Detecting System Emulators , 2007, ISC.

[10]  Peter Ferrie Attacks on More Virtual Machine Emulators , 2007 .

[11]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[12]  Min Gyung Kang,et al.  Emulating emulation-resistant malware , 2009, VMSec '09.

[13]  Peter Ferrie Attacks on Virtual Machine Emulators , 2007 .

[14]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[15]  Xu Chen,et al.  Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[16]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[17]  Xuxian Jiang,et al.  Countering kernel rootkits with lightweight hook protection , 2009, CCS.

[18]  Xuxian Jiang,et al.  Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing , 2008, RAID.

[19]  Mu Zhang,et al.  V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis , 2012, VEE '12.