Feeds

VXer fighters get new stealth weapon in war of the (mal)wares

Foiled traditional systems force white hats to bare metal

Beginner's guide to SSL certificates

A bare-metal analysis tool developed by University of California researchers promises to help tip the battle between virus writers and black hats by cloaking malware investigation efforts.

The tool is the latest weapon in the war between the diaspora of independent and vendor malware researchers and their VXer foes. Their rolling brawl has given rise to advanced cloak and dagger tactics employed by both belligerents.

Black hats have developed impressive methods to find technical artifacts that help them to distinguish between infected computers belonging to victims and and those malware researchers create to detect and foil attacks.

Once known, the means to detect such artifacts is coded into the next generation of malware allowing it to appear harmless in the eyes of security researchers and anti-virus vendors.

Malware coded in this way would then be immune from probes on given sets of malware analysis platforms, allowing more victims to be plundered before anti-virus systems crash the party.

Virus writers detected researchers' analysis platforms through a number of methods including fingerprinting the runtime environment for certain registry keys, function hooks and background processes.

They could also determine if a virtual operating system was used for analysis by way of variations in execution.

Public and even private malware analysis platforms could be fingerprinted if vxers with access to the engines uploaded wares designed to harvest environmental artifacts.

While the Vxers hid, the white hats sought them out. Malware was commonly splashed across a host of detection environments in often failed hopes to find one that would not cause it to clam up.

So-called transparent analysis systems were the latest productions from the white hats which aimed to replicate victim bare-metal computers. It left fewer artifacts for the vxers to find but were so resource-intensive that it ground important fine-grained analysis to a halt. BareBox, one such system, worked by partitioning the host's physical memory for malware analysis and subsequent re-imagining, but it could be detected by the more advanced wares.

Other bare-metal boxes including Nvmtrace were limited in the information they could extract from analysed malware.

Now Dhilung Kirat (@Dhilung), Giovanni Vigna, and Christopher Kruegel have developed the latest white hat weapon that analysed malware by deploying it across bare-metal and traditional emulated environments.

In tests using the popular Ether, Anubis and Cuckoo Sandbox environments, the BareCloud platform detected 5835 evasive malware instances from 110,005 recently crafted malware samples.

"The ultimate way to thwart such detection is to analyse malware in a bare-metal environment," the trio wrote in the paper BareCloud: Bare-metal Analysis-based Evasive Malware Detection to be presented at the upcoming Usenix 14 conference.

"The disk-level activity is extracted by comparing the system's state after each malware execution with the initial clean state.

"Using the understanding of the operating system of the analysis host, BareCloud also extracts operating-system-level changes, such as changes to specific registry keys and system files."

The BareCloud flow

BareCloud also introduced a novel evasion detection approach based on hierarchical similarity-based comparison which the authors said produced better results than existing methods.

It could detect any attempts by malware to make persistent changes to systems or contact command and control servers - feats the wares would need to pull of in order to be damaging, the writers said.

The trio, who work under sponsorship from the US Army and Navy, will now focus on making the bare-metal component of their system more transparent and on building an iSCSI module to provide richer file system-level event tracing through the extraction of high-level intermediate file system operations. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.