Download - Troopers15 Lightning talk: VMI & DRAKVUF
![Page 1: Troopers15 Lightning talk: VMI & DRAKVUF](https://reader031.vdocuments.us/reader031/viewer/2022020307/55ab0d981a28ab880c8b4823/html5/thumbnails/1.jpg)
Virtual Machine Introspection&DRAKVUF Dynamic Malware Analysis
Tamas K Lengyel & Thomas Kittel
3/18/2015
![Page 2: Troopers15 Lightning talk: VMI & DRAKVUF](https://reader031.vdocuments.us/reader031/viewer/2022020307/55ab0d981a28ab880c8b4823/html5/thumbnails/2.jpg)
Agenda
1. Why VMI?
2. DRAKVUF
3. Rant
![Page 3: Troopers15 Lightning talk: VMI & DRAKVUF](https://reader031.vdocuments.us/reader031/viewer/2022020307/55ab0d981a28ab880c8b4823/html5/thumbnails/3.jpg)
Virtual Machine Introspection
✗ In-guest agents are easily detected✗ In-guest agents are vulnerable to rootkits
Move security stack outside of VMs!✔ Increased isolation✔ Complete view of the system
![Page 4: Troopers15 Lightning talk: VMI & DRAKVUF](https://reader031.vdocuments.us/reader031/viewer/2022020307/55ab0d981a28ab880c8b4823/html5/thumbnails/4.jpg)
Virtual Machine Introspection
1. Isolation✔ Security stack outside of VM
2. Interpretation✔ LibVMI, Volatility, Rekall
3. Interposition✔ Xen on Intel & ARM
![Page 5: Troopers15 Lightning talk: VMI & DRAKVUF](https://reader031.vdocuments.us/reader031/viewer/2022020307/55ab0d981a28ab880c8b4823/html5/thumbnails/5.jpg)
Virtual Machine Introspection
Use cases:● Better antivirus● IDS● IPS● Access control● Malware analysis!
![Page 6: Troopers15 Lightning talk: VMI & DRAKVUF](https://reader031.vdocuments.us/reader031/viewer/2022020307/55ab0d981a28ab880c8b4823/html5/thumbnails/6.jpg)
http://drakvuf.com
Video available on YouTube at:
VMI Process injection into Windows 7 SP1 x64
![Page 7: Troopers15 Lightning talk: VMI & DRAKVUF](https://reader031.vdocuments.us/reader031/viewer/2022020307/55ab0d981a28ab880c8b4823/html5/thumbnails/7.jpg)
http://drakvuf.com
Video available on YouTube at:
DRAKVUF Dynamic Malware Analysis
![Page 8: Troopers15 Lightning talk: VMI & DRAKVUF](https://reader031.vdocuments.us/reader031/viewer/2022020307/55ab0d981a28ab880c8b4823/html5/thumbnails/8.jpg)
Rant about Dynamic Analysis
It's not a good augmentation to your firewall!● It's already too late by the time it finishes
It's not a good replacement of humans!● “Threat level: over 9000!!!”
It can help AntiVirus vendors but that doesn't really help anyone..
Focusing too much on a particular sample is a bad approach!
![Page 9: Troopers15 Lightning talk: VMI & DRAKVUF](https://reader031.vdocuments.us/reader031/viewer/2022020307/55ab0d981a28ab880c8b4823/html5/thumbnails/9.jpg)
What you should use it for
● Identify attack surface
● Identify attacker infrastructure
● Create behavioral signature– Very noisy and very verbose– It's still better than dumbed down
and sparse– Yet to see how that is usable
![Page 10: Troopers15 Lightning talk: VMI & DRAKVUF](https://reader031.vdocuments.us/reader031/viewer/2022020307/55ab0d981a28ab880c8b4823/html5/thumbnails/10.jpg)
Conclusion
● DRAKVUF supports large-scale, automated malware collection/analysis
● Malware authors will likely adapt by switching from sandbox detection to stall-tactics
● Dynamic analysis yet to find its right place● Stay tuned: TOTEM
Thanks!