As malware has matured and evolved in the last couple of years, it has become much more difficult for security researchers to analyze samples. Many malware authors now give their programs the ability to detect whether they are running in a sandbox or a virtual machine, tools that researchers often use to observe the behavior of new malware samples.
- Paul Royal, Principal Researcher, Damballa Inc.
But a new analysis tool that will be released at the Black Hat conference next month may give the upper hand back to the good guys. Paul Royal, principal researcher at Damballa Inc., has developed a new tool called Azure, which takes advantage of the virtualization extensions in Intel's chips to evade the virtual machine and sandbox checks used by malware. Because the virtualization extensions exist at the hardware level, below the level of the operating system, the malware doesn't have the ability to detect Azure, allowing researchers to analyze its behavior unimpeded.
"The whole point is to get out of the guest OS so the malware can't detect you and attack," said Royal. "Intel VT doesn't have the weakness of in-guest approaches because it's completely external. Others use system emulators, but to get everything exactly right in terms of emulation can be tricky."
Royal plans to release the source code for Azure at Black Hat and will make the tool available for download, as well. He has been testing the effectiveness of the tool over the last few months, and found that it is remarkably good at unpacking malware that had been packed with more than a dozen of the more commonly used packers, including the popular Themida and Armadillo. Azure was able to unpack all of the 15 samples he tested the tool against, compared to 10 of 15 for Saffron, an in-guest tool, and 12 of 15 for Renovo, a tool based on system emulation.
Intel's virtualization technology (VT) is a set of extensions added to some of the company's processors that help implement virtualization on the hardware, rather than the software level. The VT technology is designed to help enterprises make better use of their hardware resources and save energy. But Royal said VT may turn out to be a powerful ally for malware analysts and security researchers.
"In VT, the tricky part is that they didn't make it for malware analysis, but I'll be talking about the idea that this has positive advantages for malware analysis," Royal said.p>
"Malware is this artifact that has become a metavehicle for online crime, and understanding the intentions of malware has become incredibly important," Royal said. "We need to understand its behavior, which belies its intentions. But malware authors won't give up the particulars of their work without a fight."
Royal said he is still working on features that he plans to add to a future version of Azure, including a precision automated unpacker and a system call tracer. He will present the details of his work on Azure on Aug. 6 at Black Hat in Las Vegas.