By Topic

An automatic anti-anti-VMware technique applicable for multi-stage packed malware

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
Li Sun ; School of Mathematical and Geospatial Sciences, RMIT University, Australia ; Tim Ebringer ; Serdar Boztas

The VMware Workstation virtualisation software is widely used by antivirus researchers for malware analysis. However, a large amount of current generation malware employs various anti-VMware techniques in order to resist analysis. To make things worse, these anti-VMware techniques are applied not only in the payload itself, but also in the runtime packer that is used to disguise the malicious code. Fortunately, at the present time, there is not a wide variety of anti-VMware methods in use, so the assembly code which describes the operation is quite characteristic. The issue therefore becomes exactly at what stage of the execution should one look for such code, since the actual anti-VMware code is normally heavily obfuscated. Sometimes it may only be decrypted shortly before it is executed. This paper shows that judicious automated control of a debugger can successfully be used to slither around anti-VMware detections even in sophisticated packers, such as Themida.

Published in:

Malicious and Unwanted Software, 2008. MALWARE 2008. 3rd International Conference on

Date of Conference:

7-8 Oct. 2008