article

Temporal search: detecting hidden malware timebombs with virtual machines

Authors:

Jedidiah R. Crandall,

Gary Wassermann,

Daniela A. S. de Oliveira,

Frederic T. ChongAuthors Info & Claims

ACM SIGOPS Operating Systems Review, Volume 40, Issue 5

Pages 25 - 36

https://doi.org/10.1145/1168917.1168862

Published: 20 October 2006 Publication History

Abstract

Worms, viruses, and other malware can be ticking bombs counting down to a specific time, when they might, for example, delete files or download new instructions from a public web server. We propose a novel virtual-machine-based analysis technique to automatically discover the timetable of a piece of malware, or when events will be triggered, so that other types of analysis can discern what those events are. This information can be invaluable for responding to rapid malware, and automating its discovery can provide more accurate information with less delay than careful human analysis.Developing an automated system that produces the timetable of a piece of malware is a challenging research problem. In this paper, we describe our implementation of a key component of such a system: the discovery of timers without making assumptions about the integrity of the infected system's kernel. Our technique runs a virtual machine at slightly different rates of perceived time (time as seen by the virtual machine), and identifies time counters by correlating memory write frequency to timer interrupt frequency.We also analyze real malware to assess the feasibility of using full-system, machine-level symbolic execution on these timers to discover predicates. Because of the intricacies of the Gregorian calendar (leap years, different number of days in each month, etc.) these predicates will not be direct expressions on the timer but instead an annotated trace; so we formalize the calculation of a timetable as a weakest precondition calculation. Our analysis of six real worms sheds light on two challenges for future work: 1) time-dependent malware behavior often does not follow a linear timetable; and 2) that an attacker with knowledge of the analysis technique can evade analysis. Our current results are promising in that with simple symbolic execution we are able to discover predicates on the day of the month for four real worms. Then through more traditional manual analysis we conclude that a more control-flow-sensitive symbolic execution implementation would discover all predicates for the malware we analyzed.

References

[1]

K. Borders, X. Zhao, and A. Prakash. Siren: Catching evasive malware (short paper). In IEEE Symposium on Security and Privacy, 2006.]]

Digital Library

[2]

P.M. Chen and B.D. Noble. When Virtual is Better than Real. Workshop on Hot Topics in Operating Systems (HotOS), May 2001.]]

Digital Library

[3]

M. Christodorescu and S. Jha. Static Analysis of Executables to Detect Malicious Patterns. USENIX Security Symposium, pages 169--186, August 2003.]]

Digital Library

[4]

M. Christodorescu, S. Jha, S.A. Seshia, D. Song, and R.E. Bryant. Semantics-aware malware detection. In IEEE Symposium on Security and Privacy, 2005.]]

Digital Library

[5]

E.M. Clarke, O. Grumberg, and D.A. Peled. Model Checking. MIT Press, 1999.]]

Digital Library

[6]

F. Cohen. Computer viruses: Theory and experiments. In 7th DoD/NBS Computer Security Conference Proceedings, pages 240--263, September 1984.]]

[7]

N. Copernicus. On the Revolutions of Heavenly Spheres. (Available from Prometheus Books, Amherst, New York), 1543.]]

[8]

R.S. Cox, J.G. Hansen, S.D. Gribble, and H.M. Levy. A safety oriented platform for web applications. In IEEE Symposium on Security and Privacy, 2006.]]

Digital Library

[9]

J.R. Crandall and F.T. Chong. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the 37th International Symposium on Microarchitecture (MICRO), December 2004.]]

Digital Library

[10]

J.R. Crandall, Z. Su, S.F. Wu, and F.T. Chong. On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. 12th ACM Conference on Computer and Communications Security (CCS), 2005.]]

Digital Library

[11]

J.R. Crandall, S.F. Wu, and F.T. Chong. Experiences using Minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities. In DIMVA, 2005.]]

Digital Library

[12]

D. Dagon, X. Qin, G. Gu, W. Lee, J.B. Grizzard, J.G. Levine, and H.L. Owen. Honeystat: Local worm detection using honeypots. In RAID, pages 39--58, 2004.]]

[13]

E.W. Dijkstra. A Discipline of Programming. Prentice-Hall, 1976.]]

Digital Library

[14]

G.W. Dunlap, S.T. King, S. Cinar, M.A. Basrai, and P.M. Chen. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Oper. Syst. Rev., 36(SI):211--224, 2002.]]

Digital Library

[15]

eEye Digital Security. Advisories and Alerts: .ida Code Red Worm, July 2001.]]

[16]

J. Franklin, M. Luk, J. McCune, A. Seshadri, A. Perrig, and L. van Doorn. Remote virtual machine monitor detection. Presented at the ARO-DARPA-DHS Special Workshop on Botnets, June, 2006.]]

[17]

T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A Virtual Machine-Based Platform for Trusted Computing. ACM Symposium on Operating Systems Principles, pages 193--206, October 2003.]]

Digital Library

[18]

T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. Network and Distributed System Security Symposium, 2003.]]

[19]

T. Garfinkel and M. Rosenblum. When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments. Tenth Workshop on Hot Topics in Operating Systems (HotOS), June 2005.]]

Digital Library

[20]

H.S. Gunawi, N. Agrawal, A.C. Arpaci-Dusseau, R.H. Arpaci-Dusseau, and J. Schindler. Deconstructing commodity storage clusters. In Proceedings of the 32nd annual International Symposium on Computer Architecture, 2005.]]

Digital Library

[21]

D. Gupta, K. Yocum, M. McNett, A.C. Snoeren, A. Vahdat, and G.M. Voelker. To infinity and beyond: time warped network emulation. In ACM Symposium on Operating Systems Principles, 2005.]]

Digital Library

[22]

A. Joshi, S. T. King, G.W. Dunlap, and P.M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. ACM Symposium on Operating Systems Principles, 2005.]]

Digital Library

[23]

J.C. King. Symbolic execution and program testing. Commun. ACM, 19(7):385--394, 1976.]]

Digital Library

[24]

S.T. King and P.M. Chen. Backtracking intrusions. In ACM Symposium on Operating Systems Principles, 2003.]]

Digital Library

[25]

S.T. King, P.M. Chen, Y.-M. Wang, C. Verbowski, H.J. Wang, and J.R. Lorch. SubVirt: Implementing malware with virtual machines. In IEEE Symposium on Security and Privacy, 2006.]]

Digital Library

[26]

S.T. King, G.W. Dunlap, and P.M. Chen. Operating System Support for Virtual Machines. In USENIX Security Symposium, 2003.]]

Digital Library

[27]

S.T. King, Z.M. Mao, D.G. Lucchetti, and P.M. Chen. Enriching Intrusion Alerts through Multi-Host Causality. Network and Distributed System Security Symposium, February 2005.]]

[28]

E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer. Behavior-based spyware detection. In Usenix Security Symposium, 2006.]]

Digital Library

[29]

T. Kohno, A. Broido, and kc claffy. Remote physical device fingerprinting. In IEEE Symposium on Security and Privacy, 2005.]]

Digital Library

[30]

C. Kreibich and J. Crowcroft. Honeycomb: Creating intrusion detection signatures using honeypots. SIGCOMM Comput. Commun. Rev., 34(1):51--56, 2004.]]

Digital Library

[31]

C. Kruegel,W. Robertson, F. Valeur, and G. Vigna. Static disassembly of obfuscated binaries. In USENIX Security Symposium, 2004.]]

Digital Library

[32]

C. Kruegel, W. Robertson, and G. Vigna. Detecting Kernel-Level Rootkits Through Binary Analysis. 20th Annual Computer Security Applications Conference (ACSAC'04), pages 91--100, 2004.]]

Digital Library

[33]

L. Lamport. Time, Clocks, and the Ordering of Events in a Distributed System. Communications of the ACM, 21(7):558--565, July 1978.]]

Digital Library

[34]

LURHQ Threat Intelligence Group. Key Dates in Past and Present Sober Variants. http://www.lurhq.com/soberdates.html.]]

[35]

R.P. Martin, A.M. Vahdat, D.E. Culler, and T.E. Anderson. Effects of communication latency, overhead, and bandwidth in a cluster architecture. In Proceedings of the 24th Annual International Symposium on Computer Architecture, 1997.]]

Digital Library

[36]

D. Moore, C. Shannon, and J. Brown. Code-red: a case study on the spread and victims of an internet worm. In Proceedings of the Internet Measurement Workshop (IMW), 2002.]]

Digital Library

[37]

M. Ringgaard. Sanos source, 2002.]]

[38]

R.L. Rivest, A. Shamir, and D.A. Wagner. Time-lock puzzles and timed-release crypto. Technical report, Cambridge, MA, USA, 1996.]]

Digital Library

[39]

M. Rosenblum and T. Garfinkel. Virtual Machine Monitors: Current Technology and Future Trends. IEEE Computer Society, 38(5):39--47, May 2005.]]

Digital Library

[40]

A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla. Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms. In ACM Symposium on Operating Systems Principles, 2005.]]

Digital Library

[41]

R. Sherwood, B. Bhattacharjee, and R. Braud. Misbehaving TCP Receivers can Cause Internet-wide Congestion Collapse. 12th ACM Conference on Computer and Communications Security (CCS), 2005.]]

Digital Library

[42]

T. Sherwood, S. Sair, and B. Calder. Phase tracking and prediction. In Proceedings of the 30th Annual International Symposium on Computer Architecture, 2003.]]

Digital Library

[43]

S. Sidiroglou, J. Ioannidis, A.D. Keromytis, and S.J. Stolfo. An Email Worm Vaccine Architecture. ISPEC, 2005.]]

Digital Library

[44]

H.A. Simon. The sciences of the artificial (3rd ed.). MIT Press, Cambridge, MA, USA, 1996.]]

Digital Library

[45]

J. E. Smith and R. Nair. Virtual Machines - Versatile Platforms for Systems and Processes. Morgan Kaufmann, 2005.]]

Digital Library

[46]

S. Staniford, D. Moore, V. Paxson, and N. Weaver. The top speed of flash worms. In WORM '04, pages 33--42, New York, NY, USA, 2004. ACM Press.]]

Digital Library

[47]

S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In In Proceedings of the USENIX Security Symposium, pages 149--167, 2002.]]

Digital Library

[48]

P. Szor. The Art of Computer Virus Research and Defense. Symantec Press, 2005.]]

Digital Library

[49]

VMware. Timekeeping in VMware Virtual Machines.]]

[50]

M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A.C. Snoeren, G.M. Voelker, and S. Savage. Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm. ACM Symposium on Operating Systems Principles, 2005.]]

Digital Library

[51]

A. Whitaker, R.S. Cox, M. Shaw, and S.D. Gribble. Rethinking the Design of Virtual Machine Monitors. IEEE Computer, 38(5):57--62, May 2005.]]

Digital Library

[52]

P. Wolper and B. Boigelot. An automata-theoretic approach to presburger arithmetic constraints (extended abstract). In Static Analysis Symposium, pages 21--32, 1995.]]

Digital Library

[53]

A. Young and M. Yung. Malicious Cryptography: Exposing Cryptovirology. Wiley Publishing, Inc., 2004.]]

Digital Library

[54]

Commmon Malware Enumeration (CME) (Home Page). http://cme.mitre.org/.]]

[55]

"Decompiled Source For Ms Rpc Dcom Blaster Worm". http://www.governmentsecurity.org/archive/t4726.html.]]

[56]

Scapy. http://www.secdev.org/projects/scapy/.]]

[57]

Symantec Security Response - search for malware description. http://securityresponse.symantec.com/.]]

Cited By

Sun XChen XLi LCai HGrundy JSamhi JBissyandé TKlein J(2023)Demystifying Hidden Sensitive Operations in Android AppsACM Transactions on Software Engineering and Methodology10.1145/357415832:2(1-30)Online publication date: 29-Mar-2023
https://dl.acm.org/doi/10.1145/3574158
Alaeiyan MParsa SP. V(2023)SoberJournal of Information Security and Applications10.1016/j.jisa.2023.10345174:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.jisa.2023.103451
Asghar HZhao BIkram MNguyen GKaafar DLamont SCoscia D(2023)Use of cryptography in malware obfuscationJournal of Computer Virology and Hacking Techniques10.1007/s11416-023-00504-yOnline publication date: 25-Sep-2023
https://doi.org/10.1007/s11416-023-00504-y
Show More Cited By

Index Terms

Temporal search: detecting hidden malware timebombs with virtual machines
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Temporal search: detecting hidden malware timebombs with virtual machines
ASPLOS XII: Proceedings of the 12th international conference on Architectural support for programming languages and operating systems

Worms, viruses, and other malware can be ticking bombs counting down to a specific time, when they might, for example, delete files or download new instructions from a public web server. We propose a novel virtual-machine-based analysis technique to ...
Temporal search: detecting hidden malware timebombs with virtual machines
Proceedings of the 2006 ASPLOS Conference

Worms, viruses, and other malware can be ticking bombs counting down to a specific time, when they might, for example, delete files or download new instructions from a public web server. We propose a novel virtual-machine-based analysis technique to ...
Temporal search: detecting hidden malware timebombs with virtual machines
Proceedings of the 2006 ASPLOS Conference

Worms, viruses, and other malware can be ticking bombs counting down to a specific time, when they might, for example, delete files or download new instructions from a public web server. We propose a novel virtual-machine-based analysis technique to ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGOPS Operating Systems Review

ACM SIGOPS Operating Systems Review Volume 40, Issue 5

Proceedings of the 2006 ASPLOS Conference

December 2006

425 pages

ISSN:0163-5980

DOI:10.1145/1168917

Issue’s Table of Contents

ASPLOS XII: Proceedings of the 12th international conference on Architectural support for programming languages and operating systems
October 2006
440 pages
ISBN:1595934510
DOI:10.1145/1168857
General Chair:
John Paul Shen
Intel Corp.
,
Program Chair:
Margaret R. Martonosi
Princeton University

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 October 2006

Published in SIGOPS Volume 40, Issue 5

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

43
Total Citations
View Citations
1,791
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)0

Reflects downloads up to 05 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sun XChen XLi LCai HGrundy JSamhi JBissyandé TKlein J(2023)Demystifying Hidden Sensitive Operations in Android AppsACM Transactions on Software Engineering and Methodology10.1145/357415832:2(1-30)Online publication date: 29-Mar-2023
https://dl.acm.org/doi/10.1145/3574158
Alaeiyan MParsa SP. V(2023)SoberJournal of Information Security and Applications10.1016/j.jisa.2023.10345174:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.jisa.2023.103451
Asghar HZhao BIkram MNguyen GKaafar DLamont SCoscia D(2023)Use of cryptography in malware obfuscationJournal of Computer Virology and Hacking Techniques10.1007/s11416-023-00504-yOnline publication date: 25-Sep-2023
https://doi.org/10.1007/s11416-023-00504-y
Ruaro NPagani FOrtolani SKruegel CVigna G(2022)SYMBEXCEL: Automated Analysis and Understanding of Malicious Excel 4.0 Macros2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833765(1066-1081)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833765
Yan JJia XYing LYan JSu P(2022)Understanding and Mitigating Label Bias in Malware Classification: An Empirical Study2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS57517.2022.00057(492-503)Online publication date: Dec-2022
https://doi.org/10.1109/QRS57517.2022.00057
Shi DTang XYe Z(2017)Detecting environment-sensitive malware based on taint analysis2017 8th IEEE International Conference on Software Engineering and Service Science (ICSESS)10.1109/ICSESS.2017.8342924(322-327)Online publication date: Nov-2017
https://doi.org/10.1109/ICSESS.2017.8342924
Tang HFeng SZhao XJin Y(2016)VirtAV: An agentless antivirus system based on in-memory signature scanning for virtual machine2016 18th International Conference on Advanced Communication Technology (ICACT)10.1109/ICACT.2016.7423298(124-133)Online publication date: Jan-2016
https://doi.org/10.1109/ICACT.2016.7423298
Wressnegger CYamaguchi FArp DRieck K(2016)Comprehensive Analysis and Detection of Flash-Based MalwareDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-319-40667-1_6(101-121)Online publication date: 12-Jun-2016
https://doi.org/10.1007/978-3-319-40667-1_6
Lanzi AMartignoni LMonga MPaleari R(2007)A Smart Fuzzer for x86 ExecutablesProceedings of the Third International Workshop on Software Engineering for Secure Systems10.1109/SESS.2007.1Online publication date: 20-May-2007
https://dl.acm.org/doi/10.1109/SESS.2007.1
Botacin M(2024)Fuzzing and Symbolic Execution for Multipath Malware Tracing: Bridging Theory and Practice via Survey and ExperimentsDigital Threats: Research and Practice10.1145/37001475:4(1-33)Online publication date: 11-Oct-2024
https://dl.acm.org/doi/10.1145/3700147
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents