基於虛擬機器之惡意軟體分析技術：反分析技術偵測、事件還原系統、病毒碼自動生成

Abstract

資訊安全是國內目前最重要的議題。本計畫希望由資訊安全鑑識人員為考量，希望能夠縮短、有 效地幫助惡意程式鑑識、過濾，縮短其分析時間、協助判斷，乃是本計畫最大的目標。近年來，國內 外資安研究學者紛紛使用虛擬機器分析技術來動態分析惡意程式。同樣地，攻擊者也發展出躲避分析 的手段。本研究計畫希望針對三項與虛擬機器分析技術相關的研究，加強或協助往後的分析研究:（一) 偵測反虛擬機器分析的惡意程式、（二）事件重現系統設計與研究、（三）自動惡意動態連結庫特徵碼 生成與實作。

近年來，新型的惡意程式已可以偵測自己是否在執行在虛擬機器的環境中，並且利用此技術隱藏 惡意行為來躲避分析。本計畫將研究判斷程式是否具有偵測虛擬機器環境的技術，對於分析者來說可 以有效地降低誤判率。我們可以藉著該執行狀態的不同一是源自於該程式知道自己存在虛擬環境裡 而表現出不同的行為一來當作判斷的依據。在利用虛擬機器分析惡意程式時，如果可以預先知道該 程式有偽裝的行為，則進一步的利用人工方式分析。如此一來，不會造成分析系統因偽裝之行為而造 成誤判。另一方面，對於已發生的攻擊事件，還原攻擊過程可以幫助防禦者對自己的系統做安全性的 評估，也可以讓分析者了解其攻擊手法。第二年度將針對事件還原系統做研究。找出所有會影響虛擬 機器執行狀態的因素，藉由著修改虛擬機器原始碼來記錄發生事件，並且還原其過程。除了可以重現 系統執行的狀態，也可以提供日後虛擬機器相關的分析技術使用例如像系統除錯或是軟體測試，讓分 析者可以重複性地分析該執行過程。本計畫為了自動化生成惡意程式特徵碼，利用了自動截取DLL 特徵的方式來有效地偵測現有的惡意樣本。由於現有的惡意程式日新月異，病毒碼偵測的方式會因 惡意程式變型多型的因素，讓病毒碼在儲存空間上以及比對效率上變得沒有效率。而這些變異的惡意 程式，很有可能因為核心的攻擊手法相同，而有共通的程式碼片段。這些共通的程式碼片段可以用來 偵測一個類型或是一個群組的惡意程式。利用這些具有特徵的程式碼片段，可以有效的減少病毒碼的 儲存空間以及比對的次數。我們將分析已蒐集到上萬隻的惡意樣本，將利用自動化程式分析的方式， 來找出這些共通的程式碼片段最為偵測惡意DLL檔案的依據。

本計畫研究的領域新穎且具獨創性。在國內外研究中，許多頂尖的大學已著手研究與虛擬機器分 析相關的技術，也證實本研究具有非常高的價值與實用性。然而，本計畫的研究也是一貫的脈絡，希 望可以藉由這次的機會讓國內更多研究人員投入資訊安全領域。

This research project intends to investigate the VM-based malware analysis. In recent years, more and more security researchers analyze malware based on virtual machines (VMs). To evade analysis, new malware created by sophisticated hackers equip new techniques such as VM-awareness to extend their lifecycle. To assist VM-based analysts, we aim at three security aspects including: (1) the VM-aware malware detection, (2) system events replaying, and (3) automatic DLL signature generation. As VM-based analysts concerned, aforementioned techniques make their systems more applicable.

In the first year, we aim to discover VM-aware malware, which sense the existing of virtual execution environment, through finding the execution divergences among different VM environment. These malware hide their malicious behaviors to circumvent detection. They determine not to attack when they are in VMs. Thus, false negatives will occurred if analysts do not take these malware into consideration. Secondly, a replay system, which can faithfully repeat execution of malicious programs, can help analysts to evaluate a system security and discover methodology of attacks. This technique benefits dynamic analysis such as VM-based analysis for a repeatable experiment environment. We selectively eliminate non-deterministic events which affect VM execution for a fine-grained replay system. The system also can be applied to system debugging and software testing. In the third year, an automatic malware signature generation is proposed against malicious dynamic-link library (DLL). Conventional research generated signatures with labor work or common program context such as control flow graph (CFG). These methods are inefficient nowadays. Metamorphism and polymorphism make malware signatures explosive grow. However, these malware potentially share common pieces of code since the attack methodology in a malware family is similar. Instead of using one signature to recognize one individual malware, we leverage on discovery of reused code to detect a group of malware, which has same pieces of code for attack, by a signature. It is more efficient on both performance of pattern matching and storage of signatures.

The idea of this project is novel and original, and its highly practical value amplifies the power of analysts against attackers. Research related to virtual machine analysis can benefit from this project. It takes three years to develop a malware behavior analysis assistant system for analysis accuracy, repeatable environment, and detection efficiency, respectively. The three improvements complement current VM-based analysis systems for better detection.