Implicit detection of stealth software with a local-booted virtual machine

Resource hiding is commonly used by stealth malware to evade detection by anti-malware scanners. In this paper, we present the design, implementation, and evaluation of Libra, a new VM-based anti-stealth-malware approach. By introducing the novel local-booting technology of our previous work called Secure Virtual Execution Environment, Libra VM just boots from the underlying host OS but not a newly installed OS image. Consequently, Libra accurately reproduces the software environment of the underlying preinstalled OS within the Libra VM. In addition, with proposing a set of unique techniques to implicitly construct the trusted OS-level semantic view of resource from within the virtualized hardware layer, Libra is decoupled with the guest information which is subvertable to the privileged guest malware. Thus, Libra provides a promising way to detect the existing stealth malware in the host OS. We have implemented a prototype of Libra on Windows platforms and our evaluation results with real-world rootkits demonstrate the practicality and effectiveness of our approach.