Name
Abstract | ||
|---|---|---|
Using a sandbox for malware analysis has proven effective in helping people quickly understand the behavior of unknown malware. This technique is also complementary to other malware analysis techniques such as static code analysis and debugger-based code analysis. This paper presents Rkprofiler , a sandbox-based malware tracking system that dynamically monitors and analyzes the behavior of Windows kernel malware. Kernel malware samples run inside a virtual machine (VM) that is supported and managed by a PC emulator. By building its monitoring component into the PC emulator, Rkprofiler is able to inspect each instruction executed by the kernel malware and therefore possesses a powerful weapon against the malware. Rkprofiler provides several capabilities that other malware tracking systems do not. First, it can detect the execution of malicious kernel code regardless of how the monitored kernel malware is loaded into the kernel and whether it is packed or not. Second, it captures all function calls made by the kernel malware and constructs call graphs from the trace files. Third, a technique called aggressive memory tagging (AMT) is proposed to track the dynamic data objects that the kernel malware visit. Last, Rkprofiler records and reports the hardware access events of kernel malware (e.g., MSR register reads and writes). Our evaluation results show that Rkprofiler can quickly expose the security-sensitive activities of kernel malware and thus reduces the effort exerted in conducting tedious manual malware analysis. |
Year | DOI | Venue |
|---|---|---|
2009 | 10.1007/978-3-642-04342-0_16 | RAID |
Keywords | Field | DocType |
virtual execution environments,sandbox-based malware tracking system,kernel malware visit,monitored kernel malware,revealing kernel malware behavior,malware analysis,windows kernel malware,kernel malware,tedious manual malware analysis,malware tracking system,malware analysis technique,kernel malware sample,call graph,dynamic analysis,dynamic data,rootkit,virtual machine,tracking system | Sandbox (computer security),Cryptovirology,Static program analysis,Virtual machine,Computer science,Computer security,Rootkit,Real-time computing,Malware,Cyber-collection,Operating system,Malware analysis | Conference |
Volume | ISSN | Citations |
5758 | 0302-9743 | 16 |
PageRank | References | Authors |
0.75 | 21 | 3 |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Chaoting Xuan | 1 | 23 | 1.26 |
| John A. Copeland | 2 | 456 | 60.84 |
| Raheem Beyah | 3 | 213 | 14.78 |