利用程式分歧點尋找以偵測虛擬機器感知的惡意軟體

Abstract

虛擬的執行環境廣泛被認為是一個有效的惡意行為分析機制。為了避免被分析，演化過後的惡意軟體常附帶虛擬機器檢查功能。藉由辨識所在的執行環境，這些虛擬機器感知惡意軟體會隱藏自己真正的意圖來規避虛擬機器的分析。在這篇論文中，一個新的方法被提出以解決該問題。藉由在不同的虛擬機器中多次執行可疑的樣本並比較該程式在不同機器中的程式碼執行涵蓋範圍的差異，探查特定虛擬環境後所產生的程式分岐點會被發掘。這些分岐點非常的可疑因為正常的程式很少會去辨視他的執行環境。為了實驗我們系統的效力，四隻虛擬機器感知惡意軟體和七個現實生活中的虛擬機器檢查樣本被我們拿來分析。分析的結果顯示我們的系統可以抓到所有因為虛擬機器檢查所造成的程式分岐點。找到這些程式分岐點不僅僅在識別惡意軟體上是珍貴的，對於修繕現有的虛擬機器分析環境上的缺陷也是有益的。

Virtualized execution environment has been demonstrated as an effective mechanism for malware behavior analysis. To be analysis-resistant, evolved malware are often equipped with VM (Virtual Machine)-detection capabilities. By identifying its execution environment, such VM-aware malware could hide their real intention to circumvent VM-based analysis. In this paper, a novel approach was proposed to cope with this problem. By comparing execution coverage of the suspicious sample run in different virtual machines for multiple times, divergence points caused by certain virtualized environment can be discovered. Such divergences are extremely suspicious since a benign program does not distinguish its host environment. To evaluate the effectiveness of our system, four VM-aware malware programs and seven VM detection samples were analyzed. The experiment results showed that our system captures all divergence points caused by these VM detections. Discovering these divergence points are most valuable for not only identifying malware but also amending existing VM-based analysis environment.