BareCloud: Bare-metal Analysis-based Evasive Malware Detection

The volume and the sophistication of malware are continuously increasing and evolving. Automated dynamic malware analysis is a widely-adopted approach for detecting malicious software. However, many recent malware samples try to evade detection by identifying the presence of the analysis environment itself, and refraining from performing malicious actions. Because of the sophistication of the techniques used by the malware authors, so far the analysis and detection of evasive malware has been largely a manual process. One approach to automatic detection of these evasive malware samples is to execute the same sample in multiple analysis environments, and then compare its behaviors, in the assumption that a deviation in the behavior is evidence of an attempt to evade one or more analysis systems. For this reason, it is important to provide a reference system (often called bare-metal) in which the malware is analyzed without the use of any detectable component. In this paper, we present BareCloud, an automated evasive malware detection system based on bare-metal dynamic malware analysis. Our bare-metal analysis system does not introduce any in-guest monitoring component into the malware execution platform. This makes our approach more transparent and robust against sophisticated evasion techniques. We compare the malware behavior observed in the bare-metal system with other popular malware analysis systems. We introduce a novel approach of hierarchical similarity-based malware behavior comparison to analyze the behavior of a sample in the various analysis systems. Our experiments show that our approach produces better evasion detection results compared to previous methods. BareCloud was able to automatically detect 5,835 evasive malware out of 110,005 recent samples.

[1]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[2]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[3]  Jennifer Widom,et al.  Exploiting hierarchical domain structure to compute similarity , 2003, TOIS.

[4]  Levente Buttyán,et al.  nEther: in-guest detection of out-of-the-guest malware analyzers , 2011, EUROSEC '11.

[5]  Martina Lindorfer,et al.  Detecting Environment-Sensitive Malware , 2011, RAID.

[6]  Amit Vasudevan,et al.  Cobra: fine-grained malware analysis using stealth localized-executions , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[7]  Tsutomu Matsumoto,et al.  Your Sandbox is Blinded: Impact of Decoy Injection to Public Malware Analysis Systems , 2011, J. Inf. Process..

[8]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[9]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[10]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[11]  Stephen McCamant,et al.  Differential Slicing: Identifying Causal Execution Differences for Security Applications , 2011, 2011 IEEE Symposium on Security and Privacy.

[12]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[13]  Xuxian Jiang,et al.  "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots , 2007, RAID.

[14]  Jiawei Han,et al.  Discovery of Multiple-Level Association Rules from Large Databases , 1995, VLDB.

[15]  Christopher Krügel,et al.  Efficient Detection of Split Personalities in Malware , 2010, NDSS.

[16]  Christian Platzer,et al.  dAnubis - Dynamic Device Driver Analysis Based on Virtual Machine Introspection , 2010, DIMVA.

[17]  Mattia Monga,et al.  Dynamic and transparent analysis of commodity production systems , 2010, ASE.

[18]  Min Gyung Kang,et al.  Emulating emulation-resistant malware , 2009, VMSec '09.

[19]  Christopher Krügel,et al.  BareBox: efficient malware analysis on bare-metal , 2011, ACSAC '11.

[20]  Lorenzo Martignoni,et al.  A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators , 2009, WOOT.

[21]  David R. Kaeli,et al.  Dione: A Flexible Disk Monitoring and Analysis Framework , 2012, RAID.

[22]  Zhuoqing Morley Mao,et al.  Automated Classification and Analysis of Internet Malware , 2007, RAID.

[23]  Ido Dagan,et al.  Knowledge Discovery in Textual Databases (KDT) , 1995, KDD.

[24]  Tal Garfinkel,et al.  Compatibility Is Not Transparency: VMM Detection Myths and Realities , 2007, HotOS.

[25]  Xu Chen,et al.  Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[26]  Joshua D. Schwartz,et al.  Hierarchical Matching of Deformable Shapes , 2007, 2007 IEEE Conference on Computer Vision and Pattern Recognition.

[27]  Gil Neiger,et al.  Intel virtualization technology , 2005, Computer.

[28]  Christopher Krügel,et al.  The power of procrastination: detection and mitigation of execution-stalling malicious code , 2011, CCS '11.

[29]  Peter Ferrie Attacks on More Virtual Machine Emulators , 2007 .

[30]  Wenke Lee,et al.  K-Tracer: A System for Extracting Kernel Malware Behavior , 2009, NDSS.