Detecting VM-Aware Malware by Discovering Divergence Points

• Main Authors: Shih, Fan-Syun, 施汎勳
• Other Authors: 謝續平
• Format: Others
• Language: en_US
• Published: 2010
• Online Access: http://ndltd.ncl.edu.tw/handle/51220913784720768957

碩士 === 國立交通大學 === 網路工程研究所 === 98 === Virtualized execution environment has been demonstrated as an effective mechanism for malware behavior analysis. To be analysis-resistant, evolved malware are often equipped with VM (Virtual Machine)-detection capabilities. By identifying its execution environment, such VM-aware malware could hide their real intention to circumvent VM-based analysis. In this paper, a novel approach was proposed to cope with this problem. By comparing execution coverage of the suspicious sample run in different virtual machines for multiple times, divergence points caused by certain virtualized environment can be discovered. Such divergences are extremely suspicious since a benign program does not distinguish its host environment. To evaluate the effectiveness of our system, four VM-aware malware programs and seven VM detection samples were analyzed. The experiment results showed that our system captures all divergence points caused by these VM detections. Discovering these divergence points are most valuable for not only identifying malware but also amending existing VM-based analysis environment.