Malicious hypervisor and hidden virtualization of operation systems

Sergeev, Anton; Minchenkov, Victor; Bashun, Vladimir

doi:10.1109/icaict.2015.7338541

“…Malware authors have long realized the potential of hypervisors. For example, a malicious hypervisor can be installed to trap the operating system in a virtual machine (VM) and take away its root privileges [29]; in this way, the malicious hypervisor gains superiority over the kernel, effectively giving it control of the operating system. Any analysis tool installed on the OS will be unaware of code executed by the hypervisor.…”

Section: Classification Of Malware By Privilegementioning

confidence: 99%

“…The Windows registry can be used for this purpose, but other techniques are also used, including: shortcut modifications, DLL search order hijacking, subverting the boot process and loading a malicious kernel (such malware is called a bootkit [46,47]), hardware infection, and others. 29 One method malware use to gain persistency is by adding itself to an Auto-Start Extendibility Point (ASEP), 30 such as the registry startup key in Windows. For example, adding a malicious command to the Run or RunOnce registry keys will cause the computer to execute that command when the system has finished the booting process.…”

Section: Supporting Operationsmentioning

confidence: 99%

Dynamic Malware Analysis in the Modern Era—A State of the Art Survey

Or-Meir

¹

,

Nissim

²

,

Elovici

³

et al. 2019

View full text Add to dashboard Cite

ORI OR-MEIR, NIR NISSIM, YUVAL ELOVICI, and LIOR ROKACH, Ben-Gurion University of the Negev, Beer-Sheva, IsraelAlthough malicious software (malware) has been around since the early days of computers, the sophistication and innovation of malware has increased over the years. In particular, the latest crop of ransomware has drawn attention to the dangers of malicious software, which can cause harm to private users as well as corporations, public services (hospitals and transportation systems), governments, and security institutions. To protect these institutions and the public from malware attacks, malicious activity must be detected as early as possible, preferably before it conducts its harmful acts. However, it is not always easy to know what to look for-especially when dealing with new and unknown malware that has never been seen. Analyzing a suspicious file by static or dynamic analysis methods can provide relevant and valuable information regarding a file's impact on the hosting system and help determine whether the file is malicious or not, based on the method's predefined rules. While various techniques (e.g., code obfuscation, dynamic code loading, encryption, and packing) can be used by malware writers to evade static analysis (including signature-based antivirus tools), dynamic analysis is robust to these techniques and can provide greater understanding regarding the analyzed file and consequently can lead to better detection capabilities. Although dynamic analysis is more robust than static analysis, existing dynamic analysis tools and techniques are imperfect, and there is no single tool that can cover all aspects of malware behavior. The most recent comprehensive survey performed in this area was published in 2012. Since that time, the computing environment has changed dramatically with new types of malware (ransomware, cryptominers), new analysis methods (volatile memory forensics, side-channel analysis), new computing environments (cloud computing, IoT devices), new machine-learning algorithms, and more. The goal of this survey is to provide a comprehensive and up-to-date overview of existing methods used to dynamically analyze malware, which includes a description of each method, its strengths and weaknesses, and its resilience against malware evasion techniques. In addition, we include an overview of prominent studies presenting the usage of machine-learning methods to enhance dynamic malware analysis capabilities aimed at detection, classification, and categorization.

show abstract

“…Malware authors have long realized the potential of hypervisors. For example, a malicious hypervisor can be installed to trap the operating system in a virtual machine (VM) and take away its root privileges [29]; in this way, the malicious hypervisor gains superiority over the kernel, effectively giving it control of the operating system. Any analysis tool installed on the OS will be unaware of code executed by the hypervisor.…”

Section: Classification Of Malware By Privilegementioning

confidence: 99%

“…The Windows registry can be used for this purpose, but other techniques are also used, including: shortcut modifications, DLL search order hijacking, subverting the boot process and loading a malicious kernel (such malware is called a bootkit [46,47]), hardware infection, and others. 29 One method malware use to gain persistency is by adding itself to an Auto-Start Extendibility Point (ASEP), 30 such as the registry startup key in Windows. For example, adding a malicious command to the Run or RunOnce registry keys will cause the computer to execute that command when the system has finished the booting process.…”

Section: Supporting Operationsmentioning

confidence: 99%

Untitled

Mademlis¹,

Messina²,

Wagner³

et al. 2019

CSUR

0

View full text Add to dashboard Cite

ORI OR-MEIR, NIR NISSIM, YUVAL ELOVICI, and LIOR ROKACH, Ben-Gurion University of the Negev, Beer-Sheva, IsraelAlthough malicious software (malware) has been around since the early days of computers, the sophistication and innovation of malware has increased over the years. In particular, the latest crop of ransomware has drawn attention to the dangers of malicious software, which can cause harm to private users as well as corporations, public services (hospitals and transportation systems), governments, and security institutions. To protect these institutions and the public from malware attacks, malicious activity must be detected as early as possible, preferably before it conducts its harmful acts. However, it is not always easy to know what to look for-especially when dealing with new and unknown malware that has never been seen. Analyzing a suspicious file by static or dynamic analysis methods can provide relevant and valuable information regarding a file's impact on the hosting system and help determine whether the file is malicious or not, based on the method's predefined rules. While various techniques (e.g., code obfuscation, dynamic code loading, encryption, and packing) can be used by malware writers to evade static analysis (including signature-based antivirus tools), dynamic analysis is robust to these techniques and can provide greater understanding regarding the analyzed file and consequently can lead to better detection capabilities. Although dynamic analysis is more robust than static analysis, existing dynamic analysis tools and techniques are imperfect, and there is no single tool that can cover all aspects of malware behavior. The most recent comprehensive survey performed in this area was published in 2012. Since that time, the computing environment has changed dramatically with new types of malware (ransomware, cryptominers), new analysis methods (volatile memory forensics, side-channel analysis), new computing environments (cloud computing, IoT devices), new machine-learning algorithms, and more. The goal of this survey is to provide a comprehensive and up-to-date overview of existing methods used to dynamically analyze malware, which includes a description of each method, its strengths and weaknesses, and its resilience against malware evasion techniques. In addition, we include an overview of prominent studies presenting the usage of machine-learning methods to enhance dynamic malware analysis capabilities aimed at detection, classification, and categorization.

show abstract