混合模式恶意软件及其分析

Proceedings of the 4th Program Protection and Reverse Engineering Workshop Pub Date : 2014-12-09 DOI:10.1145/2689702.2689703

Shabnam Aboughadareh, Christoph Csallner, M. Azarmi

{"title":"混合模式恶意软件及其分析","authors":"Shabnam Aboughadareh, Christoph Csallner, M. Azarmi","doi":"10.1145/2689702.2689703","DOIUrl":null,"url":null,"abstract":"Mixed-mode malware contains user-mode and kernel-mode components that are interdependent. Such malware exhibits its main malicious payload only after it succeeds at corrupting the OS kernel. Such malware may further actively attack or subvert malware analysis components. Current malware analysis techniques are not effective against mixed-mode malware. To overcome the limitations of current techniques, we present an approach that combines whole-system analysis with outside-the-guest virtual machine introspection. We implement this approach in the SEMU tool for Windows. In our experiments SEMU could successfully analyze several mixed-mode malware samples that evade current analysis approaches. The runtime overhead of SEMU is in line with the most closely related dynamic analysis tools TEMU and Ether.","PeriodicalId":308663,"journal":{"name":"Proceedings of the 4th Program Protection and Reverse Engineering Workshop","volume":"3 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"Mixed-Mode Malware and Its Analysis\",\"authors\":\"Shabnam Aboughadareh, Christoph Csallner, M. Azarmi\",\"doi\":\"10.1145/2689702.2689703\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Mixed-mode malware contains user-mode and kernel-mode components that are interdependent. Such malware exhibits its main malicious payload only after it succeeds at corrupting the OS kernel. Such malware may further actively attack or subvert malware analysis components. Current malware analysis techniques are not effective against mixed-mode malware. To overcome the limitations of current techniques, we present an approach that combines whole-system analysis with outside-the-guest virtual machine introspection. We implement this approach in the SEMU tool for Windows. In our experiments SEMU could successfully analyze several mixed-mode malware samples that evade current analysis approaches. The runtime overhead of SEMU is in line with the most closely related dynamic analysis tools TEMU and Ether.\",\"PeriodicalId\":308663,\"journal\":{\"name\":\"Proceedings of the 4th Program Protection and Reverse Engineering Workshop\",\"volume\":\"3 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-12-09\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 4th Program Protection and Reverse Engineering Workshop\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2689702.2689703\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 4th Program Protection and Reverse Engineering Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2689702.2689703","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

摘要

混合模式恶意软件包含相互依赖的用户模式和内核模式组件。这种恶意软件只有在成功破坏操作系统内核后才会显示出其主要的恶意负载。此类恶意软件可能进一步主动攻击或破坏恶意软件分析组件。目前的恶意软件分析技术对混合模式恶意软件并不有效。为了克服当前技术的局限性，我们提出了一种将整个系统分析与客户机外部虚拟机内省相结合的方法。我们在Windows的SEMU工具中实现了这种方法。在我们的实验中，SEMU可以成功地分析几种逃避当前分析方法的混合模式恶意软件样本。SEMU的运行时开销与最密切相关的动态分析工具TEMU和Ether一致。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Mixed-Mode Malware and Its Analysis

Mixed-mode malware contains user-mode and kernel-mode components that are interdependent. Such malware exhibits its main malicious payload only after it succeeds at corrupting the OS kernel. Such malware may further actively attack or subvert malware analysis components. Current malware analysis techniques are not effective against mixed-mode malware. To overcome the limitations of current techniques, we present an approach that combines whole-system analysis with outside-the-guest virtual machine introspection. We implement this approach in the SEMU tool for Windows. In our experiments SEMU could successfully analyze several mixed-mode malware samples that evade current analysis approaches. The runtime overhead of SEMU is in line with the most closely related dynamic analysis tools TEMU and Ether.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 4th Program Protection and Reverse Engineering Workshop

自引率

0.00%

发文量

期刊最新文献

SILK: high level of abstraction leakage simulator for side channel analysis Intellectual Property Protection in Additive Layer Manufacturing: Requirements for Secure Outsourcing Multi-App Security Analysis with FUSE: Statically Detecting Android App Collusion Probing the Limits of Virtualized Software Protection Mixed-Mode Malware and Its Analysis