Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system

Malware is one of the biggest security threats on the Internet today and deploying effective defensive solutions requires the rapid analysis of a continuously increasing number of malware samples. With the proliferation of metamorphic malware the analysis is further complicated as the efficacy of signature-based static analysis systems is greatly reduced. While dynamic malware analysis is an effective alternative, the approach faces significant challenges as the ever increasing number of samples requiring analysis places a burden on hardware resources. At the same time modern malware can both detect the monitoring environment and hide in unmonitored corners of the system. In this paper we present DRAKVUF, a novel dynamic malware analysis system designed to address these challenges by building on the latest hardware virtualization extensions and the Xen hypervisor. We present a technique for improving stealth by initiating the execution of malware samples without leaving any trace in the analysis machine. We also present novel techniques to eliminate blind-spots created by kernel-mode rootkits by extending the scope of monitoring to include kernel internal functions, and to monitor file-system accesses through the kernel's heap allocations. With extensive tests performed on recent malware samples we show that DRAKVUF achieves significant improvements in conserving hardware resources while providing a stealthy, in-depth view into the behavior of modern malware.

[1]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[2]  Wenke Lee,et al.  PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[3]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[4]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[5]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[6]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[7]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[8]  Tzi-cker Chiueh,et al.  A Study of the Packer Problem and Its Solutions , 2008, RAID.

[9]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[10]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[11]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.

[12]  Eyal de Lara,et al.  SnowFlock: rapid virtual machine cloning for cloud computing , 2009, EuroSys '09.

[13]  Christopher Krügel,et al.  Efficient Detection of Split Personalities in Malware , 2010, NDSS.

[14]  Sascha Ossowski,et al.  Proceedings of the 2010 ACM Symposium on Applied Computing (SAC), Sierre, Switzerland, March 22-26, 2010 , 2010, SAC.

[15]  Kangbin Yim,et al.  Malware Obfuscation Techniques: A Brief Survey , 2010, 2010 International Conference on Broadband, Wireless Computing, Communication and Applications.

[16]  Christopher Krügel,et al.  Improving the efficiency of dynamic malware analysis , 2010, SAC '10.

[17]  Xuxian Jiang,et al.  Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory , 2010, RAID.

[18]  Christopher Krügel,et al.  The power of procrastination: detection and mitigation of execution-stalling malicious code , 2011, CCS '11.

[19]  Xuxian Jiang,et al.  Process Implanting: A New Active Introspection Framework for Virtualization , 2011, 2011 IEEE 30th International Symposium on Reliable Distributed Systems.

[20]  James S. Okolica,et al.  Extracting Forensic Artifacts from Windows O/S Memory , 2011 .

[21]  Levente Buttyán,et al.  nEther: in-guest detection of out-of-the-guest malware analyzers , 2011, EUROSEC '11.

[22]  Vitaly Shmatikov,et al.  Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, Chicago, Illinois, USA, October 17-21, 2011 , 2011, CCS.

[23]  Wenke Lee,et al.  Secure and Robust Monitoring of Virtual Machines through Guest-Assisted Introspection , 2012, RAID.

[24]  Gabriel Negreira Barbosa,et al.  Scientific but Not Academical Overview of Malware Anti-Debugging , Anti-Disassembly and Anti-VM Technologies , 2012 .

[25]  Levente Buttyán,et al.  Duqu: Analysis, Detection, and Lessons Learned , 2012 .

[26]  Carsten Willems,et al.  CXPInspector: Hypervisor-Based, Hardware-Assisted System Monitoring , 2012 .

[27]  Aggelos Kiayias,et al.  Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning , 2013, NSS.

[28]  Zachary D. Hanif,et al.  BinaryPig : Scalable Static Binary Analysis Over Hadoop , 2013 .

[29]  Richard McClatchey,et al.  POSTER: Introducing pathogen: a real-time virtualmachine introspection framework , 2013, CCS.

[30]  Claudia Eckert,et al.  X-TIER: Kernel Module Injection , 2013, NSS.

[31]  Karem A. Sakallah,et al.  Detecting Traditional Packers, Decisively , 2013, RAID.

[32]  Xiangyu Zhang,et al.  SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization , 2013, ACSAC.

[33]  Cuckoo Sandbox-open source automated malware analysis , .