跳到主要內容

臺灣博碩士論文加值系統

(18.97.14.91) 您好!臺灣時間:2025/01/15 10:13
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:林懋傑
研究生(外文):Mao-Jie Lin
論文名稱:反虛擬機器監控技術之惡意程式偵測
論文名稱(外文):Detecting Virtualization Resistant Behavior in Modern Malware
指導教授:賴溪松賴溪松引用關係
指導教授(外文):Chi-Sung Laih
學位類別:碩士
校院名稱:國立成功大學
系所名稱:電腦與通信工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2009
畢業學年度:97
語文別:英文
論文頁數:79
中文關鍵詞:虛擬機器惡意程式惡意程式分析與監控
外文關鍵詞:Virtual MachineMalware analysisAnti-VM
相關次數:
  • 被引用被引用:2
  • 點閱點閱:483
  • 評分評分:
  • 下載下載:113
  • 收藏至我的研究室書目清單書目收藏:1
隨著惡意程式數量與新技術日漸增加,研究者需要對這些新的樣本程式進行分析,以了解其技術內容,並找出對應的解決方法。在目前的惡意程式分析技術中,以虛擬化技術(Virtual Machine)來進行惡意程式監測與分析為主流發展。利用虛擬化技術可以模擬出一個與真實系統相同的環境,並把惡意程式樣本置於該環境下執行與監控,以隔離該樣本對外界電腦主機的破壞,且能於每次監控分析後快速還原環境,並可以得到更詳細的資訊(例:惡意行為、系統呼叫紀錄)。但惡意程式作者為了抵禦此種分析技術,進而發展了「反虛擬機器監控技術」:每當惡意程式處於虛擬環境時,便會偽裝成無惡意行為的普通程式,進而躲避分析工具的監控。而本論文研究的目標為偵測「反虛擬機器監控技術之惡意程式(Anti-VM malware)」,減少惡意程式分析平台無法取得正確的分析報告的情況。目前Anti-VM技術的實作方式有以下四大類:(1)Timing attack、(2)Special instructions、(3)Fingerprint of virtual environment、(4)Emulator bug。
目前許多Anti-VM技術的相關研究,皆是以如何偵測虛擬環境為主;對於反偵測的研究,則是以「如何改進惡意程式分析平台」的功能為主。但現階段許多研究的改進方法卻只能抵禦部份的Anti-VM技術,對於Timing attack類型的技術依舊無法抵禦。未來將會有越來越多惡意程式加入Anti-VM功能,這樣會造成惡意程式的分析與研究精確度下降。而本研究的成果為:能偵測出惡意程式是否具有Anti-VM的功能,並不局限於特定種類的Anti-VM 惡意程式,而是針對所有類型的Anti-VM技術。藉此減少惡意程式分析平台對於該類型惡意程式的錯誤監測結果;以及增加惡意程式收集系統的收集能力。此外本系統尚能找出Anti-VM 惡意程式「偵測虛擬機器」動作的大約時間點區間,可作為惡意程式研究者進行手動分析的輔助依據。
Malware is an important topic of security threat research. Many researchers try to use Virtual Machine (VM) system to monitor the malware behavior. Malware sample will just compromise the virtual operating system or virtual machine, but will not affect the real operating system or real environment. Because the malware monitor process is in the same layer with the real system, monitor can get detail information of malware behavior without being discovered by malware. Some malware authors don't want their malware to be analyzed in VM environment, because the analyzer can get much information about the malware in VM environment. There are many Anti-VM techniques which are used to ward off the collection, analysis and reverse engineering features of the VM based malware analysis platform. Therefore, malware researcher would get inaccurate monitor results from VM based malware analysis platform.
This thesis presents a solution to detect Anti-VM techniques. We collect the behavior information from the malware sample, and use the “enhanced behavior distance algorithm” to calculate how much difference between two behaviors: malware behavior in real environment and in virtual environment. Then, we can use calculating result to distinguish the malware sample have capacity of Anti-VM technique or not. After doing some experiments for Anti-VM malware, we found out that this algorithm works well. We believe that this idea is helpful to improve the correctness of malware analysis result, and reduce the loss rate of malware detection.
List of Tables ....................................... V
List of Figures ..................................... VI
Chapter 1 Introduction ............................... 1
1.1 Motivation ....................................... 2
1.2 Contribution ..................................... 4
1.3 Thesis Organization .............................. 4
Chapter 2 Background Knowledge ....................... 6
2.1 Malware Introduction ............................. 6
2.1.1 What is Malware ................................ 6
2.1.2 Malware Analysis ............................... 7
2.2 Virtual Machine based Malware Analysis Platform .. 8
2.2.1 Virtual Machine ................................ 8
2.2.2 VM based Malware Analysis Platform ............ 13
2.2.3 Transparency of Virtual Machine ............... 14
2.3 Anti-VM Techniques .............................. 14
2.3.1 Make Virtual Machine Environment Crashed ...... 15
2.3.2 Detect Virtual Machine Environment ............ 15
Chapter 3 Related Work .............................. 22
3.1 VM based malware analysis platform .............. 22
3.1.1 BitBlaze ...................................... 22
3.1.2 Ether ......................................... 26
3.2 Other research for Anti-VM malware .............. 29
Chapter 4 Detecting Algorithm ....................... 30
4.1 Characteristic of Anti-VM Malware ............... 30
4.2 Behavioral Distance Algorithm ................... 31
4.2.1 Behavior Distance ............................. 31
4.2.2 Behavioral Distance Calculation ................33
4.3 Enhanced Behavioral Distance Algorithm .......... 38
4.3.1 Weight Based Method ........................... 39
4.3.2 Multiple Buffer ............................... 42
4.3.3 Possible Detection Point ...................... 43
Chapter 5 System Design and Implementation .......... 47
5.1 Framework ....................................... 47
5.2 Implementation .................................. 49
Chapter 6 Experiments and Results ................... 56
6.1 Scenario and Experimental Environment ........... 56
6.2 Analysis for Anti-VM Techniques ................. 57
6.2.1 Analysis for VM Detection Tool ................ 57
6.2.2 Normal Software Analysis ...................... 62
6.2.3 Malware Sample Analysis ....................... 64
6.3 Evaluation ...................................... 68
Chapter 7 Conclusion and Future Work ................ 71
References .......................................... 74
[1] P. Barham, B. Dragovic, et al., “Xen and the Art of Virtualization”, ACM, 2003
[2] F. Bellard. “QEMU, a Fast and Portable Dynamic Translator”, FREENIX Track: 2005 USENIX Annual Technical Conference
[3] D. Brumley, “VinE Project Documentation”
[4] D. Brumley, C. Hartwig, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, D. Song, and H. Yin, “BitScope: Automatically Dissecting Malicious Binaries”, Technical Report CMU-CS-07-133, School of Computer Science, Carnegie Mellon University, March 18, 2007
[5] D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. Song, and H. Yin. “Automatically Identifying Trigger-based Behavior in Malware”, Book chapter in "Botnet Analysis and Defense", Editors Wenke Lee et. al., 2007.
[6] J. Caballero, H. Yin, Z. Liang, and D. Song. “Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis”, In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), October 2007.
[7] X. Chen, J. Andersen, Z.M. Mao, M. Bailey, and J. Nazario, “Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware”, International Conference on Dependable Systems &Networks: Anchorage, Alaska, June 24-27 2008.
[8] F.J. Damerau, “A technique for computer detection and correction of spelling errors”, Communications of the ACM, 1964.
[9] A. Dinaburg, P. Royal, M. Sharif, and W. Lee, “Ether: Malware Analysis via Hardware Virtualization Extensions”, CCS‟08, October 27–31, 2008, Alexandria, Virginia, USA.
[10] T. Ebringer, “Anti-Emulation Through Time-Lock Puzzles”
[11] M. Egele, C. Kruegel, E. Kirda, H. Yin, and D. Song, “Dynamic Spyware Analysis”, in Proceedings of USENIX Annual Technical Conference (Usenix'07), June 2007
[12] P. Ferrie, “Attacks on Virtual Machine Emulators”, Symantec Advanced Threat Research, 2006.
[13] P. Ferrie, “Attacks on More Virtual Machine Emulators”, Symantec Technology Exchange, April 2007.
[14] D. Gao, M. K. Reiter and D. Song, “Behavioral Distance for Intrusion Detection”, in Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID 2005), Seattle, WA, USA, September 2005.
[15] T. Garfinkel, K. Adams, A. Warfield, J. Franklin, “Compatibility is Not Transparency : VMM Detection Myths and Realities”, In the 11th Workshop on Hot Topics in Operating Systems (HOTOS-X).
[16] R. Hamming, “Error detecting and error correcting codes”, Bell System Technical Journal 29 (2): 147–160.
[17] M. A. Jaro, “Advances in record linking methodology as applied to the 1985 census of Tampa Florida”. Journal of the American Statistical Society 84 (406): 414–20.
[18] M. G. Kang, P. Poosankam, and H. Yin. “Renovo: A Hidden Code Extractor for Packed Executables”, In Proceedings of the 5th ACM Workshop on Recurring Malcode (WORM), October 2007.
[19] S. T. King, G. W. Dunlap, and P. M. Chen, “Operating System Support for Virtual Machines”, In Proceedings of the 2003 USENIX Technical Conference, pages 71-84, June 2003.
[20] V. I. Levenshtein, “Binary codes capable of correcting deletions, insertions”, and reversals. Soviet Physics Doklady 10 (1966):707–710.
[21] T. Liston and E. Skoudis, “On the Cutting Edge: Thwarting Virtual Machine Detection”, http://handlers.sans.org/tliston/ThwartingVMDetection Liston Skoudis.pdf, July 2006.
[22] T. Ormandy, “An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments”, taviso.decsystem.org (Jan 2007).
[23] T. Raffetseder, Ch. Krügel, E. Kirda, “Detecting System Emulators”, in Proceedings of the Information Security Conference (ISC ) 2007, 1 - 18.
[24] K. Rieck, T. Holz, C. Willems, P. D¨ussel, and P. Laskov, “Learning and Classification of Malware Behavior”, Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA) 2008.
[25] J. S. Robin and C. E. Irvine, “Analysis of the Intel Pentium's ability to support a secure virtual machine monitor”, In Proceedings of the 9th USENIX Security Symposium, Denver, CO, August 2000.
[26] D. T. Rogers, “A Framework for Dynamic Subversion Thesis”, June 2003.
[27] P. H. Sellers. “On the theory and computation of evolutionary distances”, SIAM J. Appl. Math.
[28] D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena1 “BitBlaze: A New Approach to Computer Security via Binary Analysis”, Fourth International Conference on Information Systems Security (ICISS 2008).
[29] W. E. Winkler, “The state of record linkage and current research problems”, Statistics of Income Division, Internal Revenue Service Publication R99/04.
[30] H. Yin, Z. Liang, and D. Song, “HookFinder: Identifying and Understanding Malware Hooking Behaviors”, in Proceeding of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), February 2008.
[31] H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda, “Capturing System-wide Information Flow for Malware Detection and Analysis”, 14th ACM Conference of Computer and Communication Security (CCS'07), October, 2007.
[32] H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda, “Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis”, in Proceedings of the 14th ACM Conference of Computer and Communication Security (CCS'07), October, 2007.
[33] BitBlaze Malware Analysis Service https://aerie.cs.berkeley.edu/index.php
[34] CaptureBAT, https://www.honeynet.org/node/315
[35] Ida pro, http://www.hex-rays.com/idapro/
[36] Process Monitor, http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
[37] PuTTY, http://www.chiark.greenend.org.uk/~sgtatham/putty/
[38] QEMU, http://bellard.org/qemu/
[39] Red pill, http://invisiblethings.org/papers/redpill.html
[40] ScoopyNG http://www.trapkit.de/research/vmm/scoopydoo/index.html
[41] SRI malware threat center, http://mtc.sri.com/
[42] Symantec Global Internet Security Threat Report, (Trends for 2008)
[43] VirtualBox, http://www.virtualbox.org/
[44] VMware, https://www.vmware.com
[45] Wikipedia, http://en.wikipedia.org/
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top