A new mechanism for preventing HVM-Aware Malware

Author

Li, Heshuai ; Zhu, Junhu ; Zhou, Tianyang ; Wang, Qingxian

Author_Institution

Nat. Digital Switching Syst. Eng. & Technol. Res. Center (NDSC), Zhengzhou, China

fYear

2011

fDate

27-29 May 2011

Firstpage

163

Lastpage

167

Abstract

Hardware-based Virtual Machine (HVM), for its high efficiency and good simulation, has played an important role in the course of building honeypots and debuggers. But some malwares called HVM-Aware Malware can identify the virtualized environment which they are processing in and then stop themselves to avoid being analysed. One of the most efficient HVM-Aware technologies is called "Counter-Based Detection". It\´s a very risky challenge to HVM-based honeypots and debuggers. In this paper a new mechanism based on operation interception and return value distortion is presented to solve this problem, it can prevent HVM from being identified so that it can protect honeypots and debuggers very well. At last some experiments demonstrate the effectiveness and practicality of the mechanism.

Keywords

invasive software; virtual machines; HVM-aware malware prevention; HVM-based debuggers; HVM-based honeypots; counter-based detection; hardware-based virtual machine; operation interception; return value distortion; Hardware; Security; Workstations; Counter-Based Detection; Hardware Virtualization; Operation Interception;

fLanguage

English

Publisher

ieee

Conference_Titel

Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on

Conference_Location

Xi´an

Print_ISBN

978-1-61284-485-5

Type

conf

DOI

10.1109/ICCSN.2011.6014696

Filename

6014696