nEther

In-guest detection of out-of-the-guest malware analyzers

Gábor Pék, Boldizsár Bencsáth, L. Buttyán

Research output: Chapter in Book/Report/Conference proceedingConference contribution

32 Citations (Scopus)

Abstract

Malware analysis can be an efficient way to combat malicious code, however, miscreants are constructing heavily armoured samples in order to stymie the observation of their artefacts. Security practitioners make heavy use of various virtualization techniques to create sandboxing environments that provide a certain level of isolation between the host and the code being analysed. However, most of these are easy to be detected and evaded. The introduction of hardware assisted virtualization (Intel VT and AMD-V) made the creation of novel, out-of-the-guest malware analysis platforms possible. These allow for a high level of transparency by residing completely outside the guest operating system being examined, thus conventional in-memory detection scans are ineffective. Furthermore, such analyzers resolve the shortcomings that stem from inaccurate system emulation, in-guest timings, privileged operations and so on. In this paper, we introduce novel approaches that make the detection of hardware assisted virtualization platforms and out-of-the-guest malware analysis frameworks possible. To demonstrate our concepts, we implemented an application framework called nEther that is capable of detecting the out-of-the-guest malware analysis framework Ether [6].

Original languageEnglish
Title of host publicationProceedings of the 4th Workshop on European Workshop on System Security, EUROSEC'11
DOIs
Publication statusPublished - 2011
Event4th Workshop on European Workshop on System Security, EUROSEC'11 - Salzburg, Austria
Duration: Apr 10 2011Apr 10 2011

Other

Other4th Workshop on European Workshop on System Security, EUROSEC'11
CountryAustria
CitySalzburg
Period4/10/114/10/11

Fingerprint

Computer hardware
Computer operating systems
Transparency
Ethers
Data storage equipment
Malware
Virtualization

Keywords

  • Malware analysis
  • Virtualization

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Electrical and Electronic Engineering

Cite this

Pék, G., Bencsáth, B., & Buttyán, L. (2011). nEther: In-guest detection of out-of-the-guest malware analyzers. In Proceedings of the 4th Workshop on European Workshop on System Security, EUROSEC'11 [3] https://doi.org/10.1145/1972551.1972554

nEther : In-guest detection of out-of-the-guest malware analyzers. / Pék, Gábor; Bencsáth, Boldizsár; Buttyán, L.

Proceedings of the 4th Workshop on European Workshop on System Security, EUROSEC'11. 2011. 3.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Pék, G, Bencsáth, B & Buttyán, L 2011, nEther: In-guest detection of out-of-the-guest malware analyzers. in Proceedings of the 4th Workshop on European Workshop on System Security, EUROSEC'11., 3, 4th Workshop on European Workshop on System Security, EUROSEC'11, Salzburg, Austria, 4/10/11. https://doi.org/10.1145/1972551.1972554
Pék G, Bencsáth B, Buttyán L. nEther: In-guest detection of out-of-the-guest malware analyzers. In Proceedings of the 4th Workshop on European Workshop on System Security, EUROSEC'11. 2011. 3 https://doi.org/10.1145/1972551.1972554
Pék, Gábor ; Bencsáth, Boldizsár ; Buttyán, L. / nEther : In-guest detection of out-of-the-guest malware analyzers. Proceedings of the 4th Workshop on European Workshop on System Security, EUROSEC'11. 2011.
@inproceedings{814e68707f114c67b4f344553d13115f,
title = "nEther: In-guest detection of out-of-the-guest malware analyzers",
abstract = "Malware analysis can be an efficient way to combat malicious code, however, miscreants are constructing heavily armoured samples in order to stymie the observation of their artefacts. Security practitioners make heavy use of various virtualization techniques to create sandboxing environments that provide a certain level of isolation between the host and the code being analysed. However, most of these are easy to be detected and evaded. The introduction of hardware assisted virtualization (Intel VT and AMD-V) made the creation of novel, out-of-the-guest malware analysis platforms possible. These allow for a high level of transparency by residing completely outside the guest operating system being examined, thus conventional in-memory detection scans are ineffective. Furthermore, such analyzers resolve the shortcomings that stem from inaccurate system emulation, in-guest timings, privileged operations and so on. In this paper, we introduce novel approaches that make the detection of hardware assisted virtualization platforms and out-of-the-guest malware analysis frameworks possible. To demonstrate our concepts, we implemented an application framework called nEther that is capable of detecting the out-of-the-guest malware analysis framework Ether [6].",
keywords = "Malware analysis, Virtualization",
author = "G{\'a}bor P{\'e}k and Boldizs{\'a}r Bencs{\'a}th and L. Butty{\'a}n",
year = "2011",
doi = "10.1145/1972551.1972554",
language = "English",
isbn = "9781450306133",
booktitle = "Proceedings of the 4th Workshop on European Workshop on System Security, EUROSEC'11",

}

TY - GEN

T1 - nEther

T2 - In-guest detection of out-of-the-guest malware analyzers

AU - Pék, Gábor

AU - Bencsáth, Boldizsár

AU - Buttyán, L.

PY - 2011

Y1 - 2011

N2 - Malware analysis can be an efficient way to combat malicious code, however, miscreants are constructing heavily armoured samples in order to stymie the observation of their artefacts. Security practitioners make heavy use of various virtualization techniques to create sandboxing environments that provide a certain level of isolation between the host and the code being analysed. However, most of these are easy to be detected and evaded. The introduction of hardware assisted virtualization (Intel VT and AMD-V) made the creation of novel, out-of-the-guest malware analysis platforms possible. These allow for a high level of transparency by residing completely outside the guest operating system being examined, thus conventional in-memory detection scans are ineffective. Furthermore, such analyzers resolve the shortcomings that stem from inaccurate system emulation, in-guest timings, privileged operations and so on. In this paper, we introduce novel approaches that make the detection of hardware assisted virtualization platforms and out-of-the-guest malware analysis frameworks possible. To demonstrate our concepts, we implemented an application framework called nEther that is capable of detecting the out-of-the-guest malware analysis framework Ether [6].

AB - Malware analysis can be an efficient way to combat malicious code, however, miscreants are constructing heavily armoured samples in order to stymie the observation of their artefacts. Security practitioners make heavy use of various virtualization techniques to create sandboxing environments that provide a certain level of isolation between the host and the code being analysed. However, most of these are easy to be detected and evaded. The introduction of hardware assisted virtualization (Intel VT and AMD-V) made the creation of novel, out-of-the-guest malware analysis platforms possible. These allow for a high level of transparency by residing completely outside the guest operating system being examined, thus conventional in-memory detection scans are ineffective. Furthermore, such analyzers resolve the shortcomings that stem from inaccurate system emulation, in-guest timings, privileged operations and so on. In this paper, we introduce novel approaches that make the detection of hardware assisted virtualization platforms and out-of-the-guest malware analysis frameworks possible. To demonstrate our concepts, we implemented an application framework called nEther that is capable of detecting the out-of-the-guest malware analysis framework Ether [6].

KW - Malware analysis

KW - Virtualization

UR - http://www.scopus.com/inward/record.url?scp=79957865085&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79957865085&partnerID=8YFLogxK

U2 - 10.1145/1972551.1972554

DO - 10.1145/1972551.1972554

M3 - Conference contribution

SN - 9781450306133

BT - Proceedings of the 4th Workshop on European Workshop on System Security, EUROSEC'11

ER -