skip to main content
article

Temporal search: detecting hidden malware timebombs with virtual machines

Published:20 October 2006Publication History
Skip Abstract Section

Abstract

Worms, viruses, and other malware can be ticking bombs counting down to a specific time, when they might, for example, delete files or download new instructions from a public web server. We propose a novel virtual-machine-based analysis technique to automatically discover the timetable of a piece of malware, or when events will be triggered, so that other types of analysis can discern what those events are. This information can be invaluable for responding to rapid malware, and automating its discovery can provide more accurate information with less delay than careful human analysis.Developing an automated system that produces the timetable of a piece of malware is a challenging research problem. In this paper, we describe our implementation of a key component of such a system: the discovery of timers without making assumptions about the integrity of the infected system's kernel. Our technique runs a virtual machine at slightly different rates of perceived time (time as seen by the virtual machine), and identifies time counters by correlating memory write frequency to timer interrupt frequency.We also analyze real malware to assess the feasibility of using full-system, machine-level symbolic execution on these timers to discover predicates. Because of the intricacies of the Gregorian calendar (leap years, different number of days in each month, etc.) these predicates will not be direct expressions on the timer but instead an annotated trace; so we formalize the calculation of a timetable as a weakest precondition calculation. Our analysis of six real worms sheds light on two challenges for future work: 1) time-dependent malware behavior often does not follow a linear timetable; and 2) that an attacker with knowledge of the analysis technique can evade analysis. Our current results are promising in that with simple symbolic execution we are able to discover predicates on the day of the month for four real worms. Then through more traditional manual analysis we conclude that a more control-flow-sensitive symbolic execution implementation would discover all predicates for the malware we analyzed.

References

  1. K. Borders, X. Zhao, and A. Prakash. Siren: Catching evasive malware (short paper). In IEEE Symposium on Security and Privacy, 2006.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. P.M. Chen and B.D. Noble. When Virtual is Better than Real. Workshop on Hot Topics in Operating Systems (HotOS), May 2001.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. M. Christodorescu and S. Jha. Static Analysis of Executables to Detect Malicious Patterns. USENIX Security Symposium, pages 169--186, August 2003.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. M. Christodorescu, S. Jha, S.A. Seshia, D. Song, and R.E. Bryant. Semantics-aware malware detection. In IEEE Symposium on Security and Privacy, 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. E.M. Clarke, O. Grumberg, and D.A. Peled. Model Checking. MIT Press, 1999.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. F. Cohen. Computer viruses: Theory and experiments. In 7th DoD/NBS Computer Security Conference Proceedings, pages 240--263, September 1984.]]Google ScholarGoogle Scholar
  7. N. Copernicus. On the Revolutions of Heavenly Spheres. (Available from Prometheus Books, Amherst, New York), 1543.]]Google ScholarGoogle Scholar
  8. R.S. Cox, J.G. Hansen, S.D. Gribble, and H.M. Levy. A safety oriented platform for web applications. In IEEE Symposium on Security and Privacy, 2006.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. J.R. Crandall and F.T. Chong. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the 37th International Symposium on Microarchitecture (MICRO), December 2004.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. J.R. Crandall, Z. Su, S.F. Wu, and F.T. Chong. On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. 12th ACM Conference on Computer and Communications Security (CCS), 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. J.R. Crandall, S.F. Wu, and F.T. Chong. Experiences using Minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities. In DIMVA, 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. D. Dagon, X. Qin, G. Gu, W. Lee, J.B. Grizzard, J.G. Levine, and H.L. Owen. Honeystat: Local worm detection using honeypots. In RAID, pages 39--58, 2004.]]Google ScholarGoogle ScholarCross RefCross Ref
  13. E.W. Dijkstra. A Discipline of Programming. Prentice-Hall, 1976.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. G.W. Dunlap, S.T. King, S. Cinar, M.A. Basrai, and P.M. Chen. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Oper. Syst. Rev., 36(SI):211--224, 2002.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. eEye Digital Security. Advisories and Alerts: .ida Code Red Worm, July 2001.]]Google ScholarGoogle Scholar
  16. J. Franklin, M. Luk, J. McCune, A. Seshadri, A. Perrig, and L. van Doorn. Remote virtual machine monitor detection. Presented at the ARO-DARPA-DHS Special Workshop on Botnets, June, 2006.]]Google ScholarGoogle Scholar
  17. T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A Virtual Machine-Based Platform for Trusted Computing. ACM Symposium on Operating Systems Principles, pages 193--206, October 2003.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. Network and Distributed System Security Symposium, 2003.]]Google ScholarGoogle Scholar
  19. T. Garfinkel and M. Rosenblum. When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments. Tenth Workshop on Hot Topics in Operating Systems (HotOS), June 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. H.S. Gunawi, N. Agrawal, A.C. Arpaci-Dusseau, R.H. Arpaci-Dusseau, and J. Schindler. Deconstructing commodity storage clusters. In Proceedings of the 32nd annual International Symposium on Computer Architecture, 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. D. Gupta, K. Yocum, M. McNett, A.C. Snoeren, A. Vahdat, and G.M. Voelker. To infinity and beyond: time warped network emulation. In ACM Symposium on Operating Systems Principles, 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. A. Joshi, S. T. King, G.W. Dunlap, and P.M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. ACM Symposium on Operating Systems Principles, 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. J.C. King. Symbolic execution and program testing. Commun. ACM, 19(7):385--394, 1976.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. S.T. King and P.M. Chen. Backtracking intrusions. In ACM Symposium on Operating Systems Principles, 2003.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. S.T. King, P.M. Chen, Y.-M. Wang, C. Verbowski, H.J. Wang, and J.R. Lorch. SubVirt: Implementing malware with virtual machines. In IEEE Symposium on Security and Privacy, 2006.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. S.T. King, G.W. Dunlap, and P.M. Chen. Operating System Support for Virtual Machines. In USENIX Security Symposium, 2003.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. S.T. King, Z.M. Mao, D.G. Lucchetti, and P.M. Chen. Enriching Intrusion Alerts through Multi-Host Causality. Network and Distributed System Security Symposium, February 2005.]]Google ScholarGoogle Scholar
  28. E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer. Behavior-based spyware detection. In Usenix Security Symposium, 2006.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. T. Kohno, A. Broido, and kc claffy. Remote physical device fingerprinting. In IEEE Symposium on Security and Privacy, 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. C. Kreibich and J. Crowcroft. Honeycomb: Creating intrusion detection signatures using honeypots. SIGCOMM Comput. Commun. Rev., 34(1):51--56, 2004.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. C. Kruegel,W. Robertson, F. Valeur, and G. Vigna. Static disassembly of obfuscated binaries. In USENIX Security Symposium, 2004.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. C. Kruegel, W. Robertson, and G. Vigna. Detecting Kernel-Level Rootkits Through Binary Analysis. 20th Annual Computer Security Applications Conference (ACSAC'04), pages 91--100, 2004.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. L. Lamport. Time, Clocks, and the Ordering of Events in a Distributed System. Communications of the ACM, 21(7):558--565, July 1978.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. LURHQ Threat Intelligence Group. Key Dates in Past and Present Sober Variants. http://www.lurhq.com/soberdates.html.]]Google ScholarGoogle Scholar
  35. R.P. Martin, A.M. Vahdat, D.E. Culler, and T.E. Anderson. Effects of communication latency, overhead, and bandwidth in a cluster architecture. In Proceedings of the 24th Annual International Symposium on Computer Architecture, 1997.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. D. Moore, C. Shannon, and J. Brown. Code-red: a case study on the spread and victims of an internet worm. In Proceedings of the Internet Measurement Workshop (IMW), 2002.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. M. Ringgaard. Sanos source, 2002.]]Google ScholarGoogle Scholar
  38. R.L. Rivest, A. Shamir, and D.A. Wagner. Time-lock puzzles and timed-release crypto. Technical report, Cambridge, MA, USA, 1996.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. M. Rosenblum and T. Garfinkel. Virtual Machine Monitors: Current Technology and Future Trends. IEEE Computer Society, 38(5):39--47, May 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla. Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms. In ACM Symposium on Operating Systems Principles, 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. R. Sherwood, B. Bhattacharjee, and R. Braud. Misbehaving TCP Receivers can Cause Internet-wide Congestion Collapse. 12th ACM Conference on Computer and Communications Security (CCS), 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. T. Sherwood, S. Sair, and B. Calder. Phase tracking and prediction. In Proceedings of the 30th Annual International Symposium on Computer Architecture, 2003.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. S. Sidiroglou, J. Ioannidis, A.D. Keromytis, and S.J. Stolfo. An Email Worm Vaccine Architecture. ISPEC, 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. H.A. Simon. The sciences of the artificial (3rd ed.). MIT Press, Cambridge, MA, USA, 1996.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. J. E. Smith and R. Nair. Virtual Machines - Versatile Platforms for Systems and Processes. Morgan Kaufmann, 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. S. Staniford, D. Moore, V. Paxson, and N. Weaver. The top speed of flash worms. In WORM '04, pages 33--42, New York, NY, USA, 2004. ACM Press.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In In Proceedings of the USENIX Security Symposium, pages 149--167, 2002.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. P. Szor. The Art of Computer Virus Research and Defense. Symantec Press, 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. VMware. Timekeeping in VMware Virtual Machines.]]Google ScholarGoogle Scholar
  50. M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A.C. Snoeren, G.M. Voelker, and S. Savage. Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm. ACM Symposium on Operating Systems Principles, 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. A. Whitaker, R.S. Cox, M. Shaw, and S.D. Gribble. Rethinking the Design of Virtual Machine Monitors. IEEE Computer, 38(5):57--62, May 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. P. Wolper and B. Boigelot. An automata-theoretic approach to presburger arithmetic constraints (extended abstract). In Static Analysis Symposium, pages 21--32, 1995.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. A. Young and M. Yung. Malicious Cryptography: Exposing Cryptovirology. Wiley Publishing, Inc., 2004.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Commmon Malware Enumeration (CME) (Home Page). http://cme.mitre.org/.]]Google ScholarGoogle Scholar
  55. "Decompiled Source For Ms Rpc Dcom Blaster Worm". http://www.governmentsecurity.org/archive/t4726.html.]]Google ScholarGoogle Scholar
  56. Scapy. http://www.secdev.org/projects/scapy/.]]Google ScholarGoogle Scholar
  57. Symantec Security Response - search for malware description. http://securityresponse.symantec.com/.]]Google ScholarGoogle Scholar

Index Terms

  1. Temporal search: detecting hidden malware timebombs with virtual machines

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM SIGPLAN Notices
        ACM SIGPLAN Notices  Volume 41, Issue 11
        Proceedings of the 2006 ASPLOS Conference
        November 2006
        425 pages
        ISSN:0362-1340
        EISSN:1558-1160
        DOI:10.1145/1168918
        Issue’s Table of Contents
        • cover image ACM Conferences
          ASPLOS XII: Proceedings of the 12th international conference on Architectural support for programming languages and operating systems
          October 2006
          440 pages
          ISBN:1595934510
          DOI:10.1145/1168857

        Copyright © 2006 ACM

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 20 October 2006

        Check for updates

        Qualifiers

        • article

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!