Researcher Offers Malware Analysis Tool

July 18, 2008 – 5:23 PM

The problem with hunting for malware is that most currently available analysis tools tip off the attacker that you’re doing it. But at next month’s Black Hat conference, a researcher will release a tool that is harder to detect — and harder to avoid — than the malware analyzers currently on the market.

Paul Royal, principal researcher at botnet hunter Damballa Inc., will make, on Aug. 6, a Black Hat presentation on a tool called Azure, which will be published as an open-source proof of concept, available for free to enterprises or vendors.

Azure is an external hardware tool that is based on Intel VT, a hardware-assisted means of virtualizing the PC. It allows the user to create the equivalent of an x86 processor-based machine that can be used to detect and analyze malware at the instruction level or at the Windows API level.

The Intel VT-based approach will be harder to detect and evade than currently available malware analysis approaches, Royal says. Today, most analyzers rely on a “sandbox” approach, in which a safe “copy” of the operating system is used for analysis. However, many malware authors now have methods for detecting these “in-guest” sandboxes and avoiding them, he observes.

Other malware analyzers, such as QEMU, emulate the x386 architecture outside the operating system, which make them more difficult for hackers to detect. However, in order to operate, these tools generally require full-system emulation, and the emulated systems don’t run quite the same way that “live” PCs do. Increasingly, attackers are able to detect the behavior of emulated systems and set their malware to exit before it’s captured by the analyzer.


You must be logged in to post a comment.