Boris Lau, Vanja Svajcer Sophoslabs, Journal in Computer Virology, 2008.

Slides:



Advertisements
Similar presentations
You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
Advertisements

Advanced Piloting Cruise Plot.
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 1 Embedded Computing.
Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
© 2010 Pearson Addison-Wesley. All rights reserved. Addison Wesley is an imprint of Chapter 11: Structure and Union Types Problem Solving & Program Design.
Chapter 3: Top-Down Design with Functions Problem Solving & Program Design in C Sixth Edition By Jeri R. Hanly & Elliot B. Koffman.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Year 6 mental test 5 second questions
Year 6 mental test 10 second questions
OPERATING SYSTEMS Lecturer: Szabolcs Mikulas Office: B38B
ZMQS ZMQS
Chapter 1 Introduction Copyright © Operating Systems, by Dhananjay Dhamdhere Copyright © Introduction Abstract Views of an Operating System.
Solve Multi-step Equations
REVIEW: Arthropod ID. 1. Name the subphylum. 2. Name the subphylum. 3. Name the order.
Intel VTune Yukai Hong Department of Mathematics National Taiwan University July 24, 2008.
Configuration management
Suite Suite 2 TPF Software – Overview Binary Editor Remote Scripts zTREX Add-Ins & Project Integration with Source Control Manager.
Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
OS-aware Tuning Improving Instruction Cache Energy Efficiency on System Workloads Authors : Tao Li, John, L.K. Published in : Performance, Computing, and.
ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
ABC Technology Project
EU market situation for eggs and poultry Management Committee 20 October 2011.
Hardware-assisted Virtualization
Chapter 3 Memory Management
© 2010 VMware Inc. All rights reserved Application-level mobile virtualization Harvey Tuch, Staff Engineer, Mobile Virtualization Platform January 25 th.
1 Undirected Breadth First Search F A BCG DE H 2 F A BCG DE H Queue: A get Undiscovered Fringe Finished Active 0 distance from A visit(A)
2 |SharePoint Saturday New York City
Operating Systems Operating Systems - Winter 2011 Dr. Melanie Rieback Design and Implementation.
Operating Systems Operating Systems - Winter 2012 Dr. Melanie Rieback Design and Implementation.
EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.
VOORBLAD.
15. Oktober Oktober Oktober 2012.
Name Convolutional codes Tomashevich Victor. Name- 2 - Introduction Convolutional codes map information to code bits sequentially by convolving a sequence.
1 Breadth First Search s s Undiscovered Discovered Finished Queue: s Top of queue 2 1 Shortest path from s.
Factor P 16 8(8-5ab) 4(d² + 4) 3rs(2r – s) 15cd(1 + 2cd) 8(4a² + 3b²)
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
1..
COMP1214 Systems & Platforms: Operating Systems Concepts Dr. Yvonne Howard – Rikki Prince – 1.
© 2012 National Heart Foundation of Australia. Slide 2.
Understanding Generalist Practice, 5e, Kirst-Ashman/Hull
KAIST Computer Architecture Lab. The Effect of Multi-core on HPC Applications in Virtualized Systems Jaeung Han¹, Jeongseob Ahn¹, Changdae Kim¹, Youngjin.
Addition 1’s to 20.
Model and Relationships 6 M 1 M M M M M M M M M M M M M M M M
25 seconds left…...
H to shape fully developed personality to shape fully developed personality for successful application in life for successful.
Januar MDMDFSSMDMDFSSS
Week 1.
Analyzing Genes and Genomes
We will resume in: 25 Minutes.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Intracellular Compartments and Transport
PSSA Preparation.
Essential Cell Biology
Energy Generation in Mitochondria and Chlorplasts
Presentation transcript:

Boris Lau, Vanja Svajcer Sophoslabs, Journal in Computer Virology, 2008

Outline Introduction Virtual machine detection methods Methodology of our study with DSD-Tracer Results Conclusion 2

Introduction #1 Virtual machine technology is first implemented by IBM More attention from virus writers & computer security researchers If in VM malware will behave like a normal program If the proportion is > 0.1% developing an environment to successfully analyze VM-aware malware is important 3

Introduction #2 The most common security use cases with VM Software vulnerability research Malware analysis Honeypots 4

Virtual machine detection methods #1 If VM is detected, the malware will stop its execution or launch a specially crafted payload Zlob Trojans IRC bots Executable packers 5

Virtual machine detection methods #2 Detection of running under MS virtual PC using VPC communication channel Communication between guest OS & VMM Exceptions due to opcode 0x0f, 0x3f / 0x0f, 0xc7, 0xc8 Call different VMM services 0x07, 0x0B 6

Invalid instruction VPC communication channel detection 7

Virtual machine detection methods #3 Detection of running under VMware using VMWare control API VMWare backdoor communication guest host communication IN instruction port 0x5658 eax 0x564D5868 VMXh ebx function number 8

9

Anti-VMWare prevention virtual machine initialization settings 10

Virtual machine detection methods #4 Redpill using SIDT, SGDT or SLDT SxxT x86 instruction Return the contests of the sensitive register IDT in VMWare is 0xffXXXXXX IDT in Virtual PC is 0xe8XXXXXX Compare with 0xd0 Invalid in multi processor system 11

Redpill 12

Virtual machine detection methods #5 SMSW VMWare detection Store Machine Specific Word instruction Return 16-bit result 32 bits register 16-bit undefined + 16-bit result In VMWare, the top 16-bits doesnt change 13

SMSW VMWare detection code 14

Methodology of our study with DSD-Tracer #1 DSD-Tracer identify obfuscation packers dynamic & static analysis 15

Methodology of our study with DSD-Tracer #2 16

Methodology of our study with DSD-Tracer #3 Dynamic component Instructions decoded before its execution All CPU registers Reads / writes to virtual / physical memory Interrupts / exceptions generated Instrumented virtual machine Low-level information 17

Methodology of our study with DSD-Tracer #4 Static component C++ interface Python Script Match known techniques for detecting VM Automatic replication harness Web-based automatic replication harness 18

Methodology of our study with DSD-Tracer #5 Case study DSD-Tracer on Themida Analyzing Themida by traditional debugger/static technique is troublesome recording memory-io dump sample in static environment 19

Methodology of our study with DSD-Tracer #6 Justification for using DSD-Tracer Coverage of packed samples Low-level accuracy Circumventing armour techniques Mitigating factors in using DSD-Tracer No Bochs detect techniques in any sample 4 samples/hour, 5 samples from each set of packed file 85% of Themida samples with VM-aware techniques 20

Methodology of our study with DSD-Tracer #7 Proof of concept experiment for DSD-Tracer on VMware Cross-verified multiple dynamic analysis Implemented on VMware Workstation 6 Invisible breakpoint GDB script for printing the assembly execution trace in user mode 21

Results #1 VM detection in packers 193 different packers, 400 packed samples Overall VM detection rate is 1.15% Themida accounting for 1.03% ExeCryptor accounting for 0.15% EncPk custom packers 22

Results #2 VM detection in malware families Static analysis rules – disassembly Dynamic analysis rules – Sophos virus engine emulation 2 million known malicious files A large set of knows clean files VM-aware samples < 1% Method breakdown Table 1. Family breakdown Table 2. Dial/FlashL 23

Results #3 24

Results #4 VMWare backdoor detection method 50% VPC illegal instruction detection method VPC illegal instruction detection method 93% VMWare backdoor detection method 25

Results #5 Fig. 7 VMWare backdoor detection in

Results #6 Fig. 8 VPC backdoor detections in

Conclusion Combination of dynamic and static analysis is better 2.13% VM-aware samples 28

Q & A 29

Appendix VMWare backdoor I/O port On the Cutting Edge:Thwarting Virtual MachineDetection Trapping worm in a virtual net Trapping worm in a virtual net VM Virtual PC Bochs F/blog/item/085cc609b215f3226b60fba5.html F/blog/item/085cc609b215f3226b60fba5.html 30

Thanks ~ 31

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.