Analysis tool uses Intel virtualization to hide from malware

By Dennis Fisher, Executive Editor 22 Jul 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

As malware has matured and evolved in the last couple of years, it has become much more difficult for security researchers to analyze samples. Many malware authors now give their programs the ability to detect whether they are running in a sandbox or a virtual machine, tools that researchers often use to observe the behavior of new malware samples.

The whole point is to get out of the guest OS so the malware can't detect you and attack. Paul Royal, principal researcher, Damballa Inc.

But a new analysis tool that will be released at the Black Hat conference next month may give the upper hand back to the good guys. Paul Royal, principal researcher at Damballa Inc., has developed a new tool called Azure, which takes advantage of the virtualization extensions in Intel's chips to evade the virtual machine and sandbox checks used by malware. Because the virtualization extensions exist at the hardware level, below the level of the operating system, the malware doesn't have the ability to detect Azure, allowing researchers to analyze its behavior unimpeded.

"The whole point is to get out of the guest OS so the malware can't detect you and attack," said Royal. "Intel VT doesn't have the weakness of in-guest approaches because it's completely external. Others use system emulators, but to get everything exactly right in terms of emulation can be tricky."

Royal plans to release the source code for Azure at Black Hat and will make the tool available for download, as well. He has been testing the effectiveness of the tool over the last few months, and found that it is remarkably good at unpacking malware that had been packed with more than a dozen of the more commonly used packers, including the popular Themida and Armadillo. Azure was able to unpack all of the 15 samples he tested the tool against, compared to 10 of 15 for Saffron, an in-guest tool, and 12 of 15 for Renovo, a tool based on system emulation.

SearchSecurity radio:

Intel's virtualization technology (VT) is a set of extensions added to some of the company's processors that help implement virtualization on the hardware, rather than the software level. The VT technology is designed to help enterprises make better use of their hardware resources and save energy. But Royal said VT may turn out to be a powerful ally for malware analysts and security researchers.

"In VT, the tricky part is that they didn't make it for malware analysis, but I'll be talking about the idea that this has positive advantages for malware analysis," Royal said.p>

"Malware is this artifact that has become a metavehicle for online crime, and understanding the intentions of malware has become incredibly important," Royal said. "We need to understand its behavior, which belies its intentions. But malware authors won't give up the particulars of their work without a fight."

Royal said he is still working on features that he plans to add to a future version of Azure, including a precision automated unpacker and a system call tracer. He will present the details of his work on Azure on Aug. 6 at Black Hat in Las Vegas.

Tags: Malware, Viruses, Trojans and Spyware,  Open Source Security Tools and Applications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Open Source Security Tools and Applications Screencast: How to launch an OpenVAS scan Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 SSH key compromise shuts down Apache website Screencast: Smoothwall offers firewall defense in lean times Screencast: Samurai offers pen-testing nirvana Rootkit Hunter demo: Detect and remove Linux rootkits When to use open source security tools over commercial products Screencasts: On-screen demonstrations of security tools Maltego demo: Identifying a website's trust relationships

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary