Malware Virtualization-Resistant Behavior Detection

Author

Sun, Ming-Kung ; Lin, Mao-Jie ; Chang, Michael ; Laih, Chi-Sung ; Lin, Hui-Tang

Author_Institution

Inst. for Comput. & Commun. Eng., Nat. Cheng Kung Univ., Tainan, Taiwan

fYear

2011

fDate

7-9 Dec. 2011

Firstpage

912

Lastpage

917

Abstract

Many researchers monitor malicious software (malware) behavior using Virtual Machines (VM) to protect the underlying operating system. For virtual machines, the malware monitor process exists at the same layer as the real system so the monitor can get detailed behavior information without being discovered. There are some Anti-VM techniques employed by malware authors to ward off collection, analysis and reverse engineering of their malicious programs. Therefore, malware researchers may obtain inaccurate analysis from VM aware programs. This paper presents a solution to detect Anti-VM techniques. We collect behavioral information from malware and use an enhanced behavior distance algorithm to calculate the difference between real and virtual environments to distinguish if the malware has Anti-VM capability. Our experiments show this algorithm works well. This idea can improve malware analysis results and reduce malware misdetection.

Keywords

invasive software; virtual machines; virtualisation; behavior distance algorithm; malicious programs; malicious software; malware analysis; malware misdetection; malware virtualization-resistant behavior detection; operating system; reverse engineering; virtual machines; Algorithm design and analysis; Biomedical monitoring; Malware; Monitoring; Software; Virtual environments; Virtual machining;

fLanguage

English

Publisher

ieee

Conference_Titel

Parallel and Distributed Systems (ICPADS), 2011 IEEE 17th International Conference on

Conference_Location

Tainan

ISSN

1521-9097

Print_ISBN

978-1-4577-1875-5

Type

conf

DOI

10.1109/ICPADS.2011.78

Filename

6121379