Annual Computer Security Applications Conference 2011 Technical Track Papers

Full Program »

BareBox: Efficient Malware Analysis on Bare-Metal

Present day malware analysis techniques use both virtualized and emulated
environments to analyze malware. The reason is that such environments provide
isolation and system restoring capabilities, which facilitates automated
analysis of an increasing number of malware samples. However, there exists a
class of malware, called VM-aware malware, that is capable of detecting such
environments and then hiding its malicious behavior to foil the analysis. Because of the artifacts introduced by additional virtualization or emulation
layers, it has always been and will always be possible for malware to detect
virtual environments.

The definitive way to observe the actual behavior of VM-aware malware is to execute them
in a system running on real hardware, which is called a "bare-metal" system.
However, after each analysis, the system must be restored back to the previous
clean state. This is because running a malware program can leave the system in
an instable state and/or interfere with the results of a subsequent analysis
run. Most of the available state-of-the-art system restore solutions are based
on disk restoring and require a system reboot. This results in a significant
downtime between each analysis. Because of this limitation, efficient automation
of malware analysis in bare-metal systems has been a challenge.

This paper presents the design, implementation, and evaluation of a malware
analysis framework for bare-metal systems that is based on a fast and rebootless
system restore technique. Live system restore is accomplished by restoring the
entire physical memory of the analysis operating system from another, small
operating system that runs outside of the target OS. By using this technique, we
were able to perform a rebootless restore of a live Windows system, running on
commodity hardware, within four seconds. We also analyzed 42 malware samples from
seven different malware families, that are known to be "silent" in a
virtualized or emulated environments, and all of them showed their true
malicious behavior within our bare-metal analysis environment.

Author(s):

Dhilung Kirat    
University of California, Santa Barbara
United States

Giovanni Vigna    
University of California, Santa Barbara
United States

Christopher Kruegel    
University of California, Santa Barbara
United States

 

Powered by OpenConf®
Copyright©2002-2014 Zakon Group LLC