This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: Virt-ICE: Next-generation Debugger for Malware Analysis Nguyen Anh Quynh, Kuniyasu Suzaki National Institute of Advanced Industrial Science and Technology, Japan Email: (nguyen.anhquynh,k.suzaki)@aist.go.jp Abstract Dynamic malware analysis is an important method to an- alyze malware. The most important tool for dynamic malware analysis is debugger. However, because debug- gers are originally built by software developers to de- bug legitimate software, they have some significant flaws against malware. First of all, malware can easily detect the presence of debugger with various tricks. Another fundamental problem is that because malware run in the same security domain with debugger, they can poten- tially tamper with the debugger, and prevent it from func- tioning correctly. Unfortunately, all of the above draw- backs are unfixable in the current architecture. This research presents a new debugger named Virt- ICE , which is designed to address the problems of cur- rent malware debuggers. Using virtualization technol- ogy, Virt-ICE is invisible to malware, thus renders most available anti-debugging techniques useless. Thanks to the isolation provided by virtual machine, Virt-ICE is out of the reach of malware, and cannot be tampered with. Another advantage of Virt-ICE is that unlike many other popular debuggers, it can deal with ring-0 code, there- fore it has no issue handling kernel rootkits. Virt-ICE also offers a novel event-based method to intercept mal- ware execution, which can help to improve the debug- ging efficiency. Finally, Virt-ICE includes some built-in automatic malware analysis facilities to give the analysts more information on malware, so they can reduce the time on the job by focusing their debugging efforts on important points. 1 Introduction 1.1 Malware Analysis Methods Understanding what the malware is doing internally is always the headache for security professions. Two main methods are proposed, and each offer unique features. • Static analysis : This method disassembles the mal- ware binary to analyze it, without running it. An advantage of static analysis is that it can inspect all the execution paths of the malware. However, it has some major problems. One is that most malware are packed and using various obfuscated tricks to make the binary code very hard to understand. As a result, the analyst must unpack and de obfuscate the mal- ware before actually diving into analyzing it. This procedure usually takes a lot of time, and requires advanced skills. Besides, some malware activities are only visible at run-time, for example by inter- acting with environment. Consequently, static anal- ysis cannot give the analyst the full understanding on the malware....
View Full Document
- Spring '10
- analyst, VMs, Debugger