By Topic

An automatic anti-anti-VMware technique applicable for multi-stage packed malware

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

The purchase and pricing options are temporarily unavailable. Please try again later.
3 Author(s)
Li Sun ; Sch. of Math. & Geospatial Sci., RMIT Univ., Melbourne, VIC ; Ebringer, T. ; Boztas, S.

The VMware Workstation virtualisation software is widely used by antivirus researchers for malware analysis. However, a large amount of current generation malware employs various anti-VMware techniques in order to resist analysis. To make things worse, these anti-VMware techniques are applied not only in the payload itself, but also in the runtime packer that is used to disguise the malicious code. Fortunately, at the present time, there is not a wide variety of anti-VMware methods in use, so the assembly code which describes the operation is quite characteristic. The issue therefore becomes exactly at what stage of the execution should one look for such code, since the actual anti-VMware code is normally heavily obfuscated. Sometimes it may only be decrypted shortly before it is executed. This paper shows that judicious automated control of a debugger can successfully be used to slither around anti-VMware detections even in sophisticated packers, such as Themida.

Published in:

Malicious and Unwanted Software, 2008. MALWARE 2008. 3rd International Conference on

Date of Conference:

7-8 Oct. 2008