Ether: Malware Analysis via Hardware Virtualization Extensions

July 8, 2009 19:49 pm · 0 comments

by Black

in Malware Analysis,Open Source,Security tools

New and better techniques are being developed every day to combat malwares & their spread. As a repercussion, malwares are getting intelligent too! They have anti-vm, anti-sandbox, anti-anti-virus and all the other anti things that they can image of so that they will not be detected.

As these techniques, used by the malware analysers are used more, malware writers inturn find ways via ‘software’ to detour detection. The reson why the malware authors are successful with defeating such tools are because mostly these security tools are VM’s (the magic VM & VPC detection API’s), sandbox’es (hard drive serial number, logged on user, registry keys, etc) or plain codes such as detection from PEB (Process Entry Block), etc. Inother words, Static Malware Analysis is practically impossible & Dynamic Malware Analysis is partially successful.

But, now thigs are going to be tad difficult for them malware authors now! Why? Enter – Ether! It was presented at the Association for Computing Machinery – Computing Classification System in 2008. Now, Ether is a malware analysis framework which leverages hardware virtualization extensions (specifically Intel VT) to remain transparent to malicious software. It resides completely outside of the target OS environment– there are no in-guest software components vulnerable to detection or attack. It operates using hardware virtualization extensions to offer both fine- (single instruction) and coarse- (system call) granularity tracing.

A sample diagram that depicts the working of Ether:

Ether: Malware Analysis

Ether: Malware Analysis

Just like other online virus scanners, this unpacker just needs you to upload the executable and then it reports its findings via e-mail.

Advantages of Ether over more traditional tools:

In-Memory Presence: Traditional detection attacks which rely on detecting the presence of an analyzer in memory will always fail against Ether, as it has no in-guest memory presence.
CPU Registers: Ether hides the few changes it makes in CPU state from the analysis target so that it is unable to detect deviation from a native hardware environment.
Memory Protection: Ether modifies only the shadow page tables, which are inaccessible to the analysis target. That is, the analysis target is unable to detect changes to shadow memory permissions. However, in the current implementation, Ether does indirectly modify the memory hierarchy (the cache and the TLB). This is due to an architectural limitation, which has been discussed in the Ether ReadMe.
Privileged Instruction Handling: Ether uses builtin hardware mechanisms to intercept only certain privileged instructions and exceptions and as necessary, forwards these exceptions to the guest. From the viewpoint of the guest, no handler is ever modified, and privileged instructions have the same effects as in a native environment.
Instruction Emulation: Ether executes all instructions on the actual processor. Therefore, Ether does not suffer from emulation inaccuracies inherent in full system x86 emulators; the transition function  remains unmodified.

You can read in detail about this tool here and in addition to that, you can view the slides presented by the authors @ ACM-CCS 2008 here.

Related External Links

    Searches leading to this post:
    ether reverse, ida privileged instruction

    If you enjoyed this article, you might also like:

    Tagged as: , , ,

    Comments on this entry are closed.

    Previous post:

    Next post: