Presentations - Stealthy, Hypervisor-based Malware Analysis

Over the last few years countless methods have been observed in malware to fingerprint the execution environment before executing the malware's real payload. Most of the available sandboxes, both commercial and open-source, struggle to keep up with the variety of techniques, thus it is increasingly important to do dynamic analysis on a platform that provides stealth capabilities. For the most part virtualization fits the bill. Nevertheless, virtualization has not been designed with stealth in mind either, still leaving low-hanging fruits for malware to check for. In this talk we will discuss how to create realistic looking virtual sandboxes with DRAKVUF, a malware analysis system which was released at Hacktivity in 2014. Since this initial release both Xen and DRAKVUF has seen major improvements which will be discussed, such as malware analysis on ARM, as well as critical limitations in Xen that could still reveal the presence of external monitors.


Sponsors:

Gold
Gold
Gold
Silver
Silver
Silver
Silver
Silver
Silver
Bronze
JOB
Technical