Detecting & Defeating Split Personality Malware
暂无分享,去创建一个
Security analysts extensively use virtual machines to analyse sample programs and study them to determine if they contain any malware. In the process, if the malware destabilizes the guest OS, they simply discard it and load in a fresh image. This approach increases their productivity. Since naive users do not run virtual machines, malware authors have observed that it is a pretty good probability that their malware is being analysed if it is being run in a Virtual Machine (VM). When these analysis aware malware detect the presence of VMs, they behave in a benign manner thus escaping detection. A determined analyst will have to end up running the sample on a native machine that adds to his chase time. In this paper, we briefly discuss the techniques deployed to detect VM by the Analysis Aware Malware also known as the Split Personality Malware. We then introduce our tool that not only detects this category of malware but also fools it into believing that it is running on a native machine even when it is running on a virtualized one, forcing it to exhibit its malicious form. Most security analysts should find this tool really useful.
[1] Ed Skoudis,et al. Hiding Virtualization from Attackers and Malware , 2007, IEEE Security & Privacy.
[2] Christopher Krügel,et al. Efficient Detection of Split Personalities in Malware , 2010, NDSS.
[3] Boris Lau,et al. Measuring virtual machine detection in malware using DSD tracer , 2008, Journal in Computer Virology.
[4] Jean-Yves Marion,et al. Server-side dynamic code analysis , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).