• PDF / 3,585,025 Bytes
• 8 Pages / 439.37 x 666.142 pts Page_size
• 102 Downloads / 188 Views

DOWNLOAD

REPORT

Abstract. Virtual environment is frequently used for malware analysis. To hide their behavior, malware began to adopt virtual environment detection techniques. One of trickiest things when analyzing malware on real systems is that the operating system became unbootable due to the crash of partition and boot loader stored in the first sector of hard disk called the master boot record (MBR). It is quite time consuming to extract its MBR image from the crashed hard disk, so running malware on real system is usually considered as the last resort. In this research, we proposed a malware analysis system utilizing Emulab to extract crashed MBR images very easily. Keywords: Emulab

1

· Virtualization · Malware · Analysis automation

Introduction

While the number of malware keeps increasing very quickly, their behaviors are also evolving. According to [1], the number of unique malware is more than 430 million. Since nobody knows how many malware is undetected, it is not easy to estimate the total number of malware. To cope with this situation, the automatic malware analysis becomes necessary. Generally, malware analysis is categorized into static or dynamic analysis. In static analysis, a malware under test is not run, but its binary code is analyzed by malware analysts. In dynamic analysis, in contrast, analysts make malwares run in a test environment and collect behavior information for further analysis. Owing to advances in hardware virtualization techniques, it becomes easier to utilize virtual machines for automatic malware analysis. However, to evade this analysis trend, hackers started to use virtual environment detection techniques. It was reported that 28% of malwares found in 2014 are reported to have the virtual environment detection function [2]. When a malware detects any virtual environment, it quits or disguises as normal applications by performing na¨ıve operations. Many researchers are trying to solve this problem in many ways, but there is not a practical solution yet. In our previous study, we used a completely different approach; real machines are used, not virtual machines. We are not the first to use this approach. Some authors already proposed to use real machines which are called bare c Springer Nature Singapore Pte Ltd. 2017  K. Kim and N. Joukov (eds.), Information Science and Applications 2017, Lecture Notes in Electrical Engineering 424, DOI 10.1007/978-981-10-4154-9 25

214

G. Song and M. Lee

metal systems in [3,4]. Different from previous research, we utilized the existing research facility, Emulab, developed by Utah University [5]. Its main benefit is to dynamically assign real machines running on various OSes with any network topologies. Many researchers found Emulab very useful for network and security research [6]. Our previous study showed that Emulab is almost like bare metal systems by showing that many virtual environment detection functions available to us could not detect Emulab as virtual environments [7]. In addition, we showed how to extract the MicroSoft Windows MBR image from a

Recommend Documents

MBR

175 91 239KB

Sentiment Analysis for Airline Tweets Utilizing Machine Learning Techniques

172 87 23MB

Performance Analysis of Medical Image Compression Techniques

174 22 243KB

Exploring Image Binarization Techniques

204 90 8MB

Image Indexing Techniques

167 2 7MB

Image Display Techniques

210 36 2MB

Image Denoising Using Various Image Enhancement Techniques

191 82 31MB

New Approaches in Intelligent Image Analysis Techniques, Methodologi

147 86 16MB

Digital Image Forensics-Image Verification Techniques

235 11 31MB

Different Techniques of Image Inpainting

186 6 24MB

Progress in Automation, Robotics and Measuring Techniques Control an

209 98 31MB

Techniques Behind Smart Home Automation System Using NLP and IoT

191 52 29MB