Malware has become the centerpiece of most security threats on the Internet. Malware analysis is an essential technology that extracts the runtime behavior of malware, and supplies signatures to detection systems and provides evidence for recovery and cleanup. The focal point in the malware analysis battle is how to detect versus how to hide a malware analyzer from malware during runtime. State-of-the-art analyzers reside in or emulate part of the guest operating system and its underlying hardware, making them easy to detect and evade. In this paper, we propose a transparent and external approach to malware analysis, which is motivated by the intuition that for a malware analyzer to be transparent, it must not induce any side-effects that are unconditionally detectable by malware. Our analyzer, Ether, is based on a novel application of hardware virtualization extensions such as Intel VT, and resides completely outside of the target OS environment. Thus, there are no in-guest software components vulnerable to detection, and there are no shortcomings that arise from incomplete or inaccurate system

emulation. Our experiments are based on our study of obfuscation techniques used to create 25,000 recent malware samples. The results show that Ether remains transparent and defeats the obfuscation tools that evade existing approaches.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Anubis: Analyzing Unknown Binaries. http://anubis.seclab.tuwien.ac.at.
	2	Armadillo. http://www.siliconrealms.com.
	3	BitBlaze Binary Analysis Platform. http://bitblaze.cs.berkeley.edu.
	4	DYNINST API. http://www.dyninst.org.
	5	FileMon for Windows. http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx.
	6	Intel Virtualization Technology. http://www.intel.com/technology/virtualization.
	7	PEiD. http://www.peid.info.
	8	PEiDSO. http://handlers.sans.org/jclausing/userdb.txt.
	9	RegMon for Windows. http://technet.microsoft.com/en-us/sysinternals/bb896652.aspx.
	10	Themida. http://www.oreans.com/themida.php.
	11	VirtualPC. http://www.microsoft.com/windows/products/winfamily/virtualpc/.
	12	VMWare. http://www.vmware.com.
	13	Norman Sandbox Whitepaper. http://www.norman.com/documents/wp_sandbox.pdf, 2003.
	14	AMD64 Architecture Programmer's Manual, Volume 2: System Programming, 2007.
	15	TEMU: The BitBlaze Dynamic Analysis Component. http://bitblaze.cs.berkeley.edu/temu.html, 2007.
	16	P. Bacher, T. Holz, M. Kotter, and G. Wicherski. Know your enemy: Tracking botnets. http://www.honeynet.org/papers/bots, 2005.
	17	M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario. Automated Classification and Analysis of Internet Malware. In RAID, 2007.
	18	Paul Barham , Boris Dragovic , Keir Fraser , Steven Hand , Tim Harris , Alex Ho , Rolf Neugebauer , Ian Pratt , Andrew Warfield, Xen and the art of virtualization, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	19	U. Bayer, C. Kruegel, and E. Kirda. TTanalyze: A Tool for Analyzing Malware. In EICAR, pages 180--192, 2006.
	20	Fabrice Bellard, QEMU, a fast and portable dynamic translator, Proceedings of the annual conference on USENIX Annual Technical Conference, p.41-41, April 10-15, 2005, Anaheim, CA
	21	M. Bishop. Computer Security: Art and Science. Addison-Wesley Professional, 2003.
	22	Kevin Borders , Xin Zhao , Atul Prakash, Siren: Catching Evasive Malware (Short Paper), Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.78-85, May 21-24, 2006  [doi>10.1109/SP.2006.37]
	23	Juan Caballero , Heng Yin , Zhenkai Liang , Dawn Song, Polyglot: automatic extraction of protocol message format using dynamic binary analysis, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315286]
	24	Mihai Christodorescu , Somesh Jha , Sanjit A. Seshia , Dawn Song , Randal E. Bryant, Semantics-Aware Malware Detection, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.32-46, May 08-11, 2005  [doi>10.1109/SP.2005.20]
	25	Mihai Christodorescu , Somesh Jha , Christopher Kruegel, Mining specifications of malicious behavior, Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering, September 03-07, 2007, Dubrovnik, Croatia  [doi>10.1145/1287624.1287628]
	26	P. Ferrie. Attacks on Virtual Machine Emulators. Symantec Advanced Threat Research, 2006.
	27	P. Ferrie. Attacks on More Virtual Machines. http://pferrie.tripod.com/papers/attacks2.pdf, 2007.
	28	T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS, 2003.
	29	Galen Hunt , Doug Brubacher, Detours: binary interception of Win32 functions, Proceedings of the 3rd conference on USENIX Windows NT Symposium, p.14-14, July 12-15, 1999, Seattle, Washington
	30	Xuxian Jiang , Xinyuan Wang , Dongyan Xu, Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315262]
	31	X. Jiang, D. Xu, H. J. Wang, and E. H. Spafford. Virtual Playgrounds for Worm Behavior Investigation. In RAID, pages 1--21, 2005.
	32	Min Gyung Kang , Pongsin Poosankam , Heng Yin, Renovo: a hidden code extractor for packed executables, Proceedings of the 2007 ACM workshop on Recurring malcode, November 02-02, 2007, Alexandria, Virginia, USA  [doi>10.1145/1314389.1314399]
	33	Christopher Kruegel , William Robertson , Giovanni Vigna, Detecting Kernel-Level Rootkits Through Binary Analysis, Proceedings of the 20th Annual Computer Security Applications Conference, p.91-100, December 06-10, 2004  [doi>10.1109/CSAC.2004.19]
	34	L. Martignoni, M. Christodorescu, and S. Jha. OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In ACSAC, pages 431--441, 2007.
	35	F. Perigaud. New Pill? http://cert.lexsi.com/weblog/index.php/2008/03/21/223-new-pill, 2008.
	36	Niels Provos , Thorsten Holz, Virtual honeypots: from botnet tracking to intrusion detection, Addison-Wesley Professional, 2007
	37	T. Ptacek. Side-Channel Detection Attacks Against Unauthorized Hypervisors. http://www.matasano.com/log/930/side-channel-detection-attacks-against-unauthorized-hypervisors/, 2007.
	38	D. Quist and Valsmith. Covert Debugging: Circumventing Software Armoring. In Black Hat USA, 2007.
	39	T. Raffetseder, C. Kruegel, and E. Kirda. Detecting System Emulators. In ISC, pages 1--18, 2007.
	40	Paul Royal , Mitch Halpin , David Dagon , Robert Edmonds , Wenke Lee, PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware, Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, p.289-300, December 11-15, 2006  [doi>10.1109/ACSAC.2006.38]
	41	Michael Sipser, Introduction to the Theory of Computation, International Thomson Publishing, 1996
	42	Peter Szor, The Art of Computer Virus Research and Defense, Addison-Wesley Professional, 2005
	43	Amit Vasudevan , Ramesh Yerraballi, Stealth Breakpoints, Proceedings of the 21st Annual Computer Security Applications Conference, p.381-392, December 05-09, 2005  [doi>10.1109/CSAC.2005.52]
	44	Amit Vasudevan , Ramesh Yerraballi, Cobra: Fine-grained Malware Analysis using Stealth Localized-executions, Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.264-279, May 21-24, 2006  [doi>10.1109/SP.2006.9]
	45	C. Wang and S. Ju. The Dilemma of Covert Channels Searching. In ICISC, pages 169--174, 2005.
	46	Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. T. King. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In NDSS, 2006.
	47	Carsten Willems , Thorsten Holz , Felix Freiling, Toward Automated Dynamic Malware Analysis Using CWSandbox, IEEE Security and Privacy, v.5 n.2, p.32-39, March 2007  [doi>10.1109/MSP.2007.45]
	48	Heng Yin , Dawn Song , Manuel Egele , Christopher Kruegel , Engin Kirda, Panorama: capturing system-wide information flow for malware detection and analysis, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315261]