Title :
Malware Virtualization-Resistant Behavior Detection
Author :
Sun, Ming-Kung ; Lin, Mao-Jie ; Chang, Michael ; Laih, Chi-Sung ; Lin, Hui-Tang
Author_Institution :
Inst. for Comput. & Commun. Eng., Nat. Cheng Kung Univ., Tainan, Taiwan
Abstract :
Many researchers monitor malicious software (malware) behavior using Virtual Machines (VM) to protect the underlying operating system. For virtual machines, the malware monitor process exists at the same layer as the real system so the monitor can get detailed behavior information without being discovered. There are some Anti-VM techniques employed by malware authors to ward off collection, analysis and reverse engineering of their malicious programs. Therefore, malware researchers may obtain inaccurate analysis from VM aware programs. This paper presents a solution to detect Anti-VM techniques. We collect behavioral information from malware and use an enhanced behavior distance algorithm to calculate the difference between real and virtual environments to distinguish if the malware has Anti-VM capability. Our experiments show this algorithm works well. This idea can improve malware analysis results and reduce malware misdetection.
Keywords :
invasive software; virtual machines; virtualisation; behavior distance algorithm; malicious programs; malicious software; malware analysis; malware misdetection; malware virtualization-resistant behavior detection; operating system; reverse engineering; virtual machines; Algorithm design and analysis; Biomedical monitoring; Malware; Monitoring; Software; Virtual environments; Virtual machining;
Conference_Titel :
Parallel and Distributed Systems (ICPADS), 2011 IEEE 17th International Conference on
Conference_Location :
Tainan
Print_ISBN :
978-1-4577-1875-5
DOI :
10.1109/ICPADS.2011.78
