Virtual Machine Introspection&DRAKVUF Dynamic Malware Analysis

Tamas K Lengyel & Thomas Kittel

3/18/2015

Agenda

1. Why VMI?

2. DRAKVUF

3. Rant

Virtual Machine Introspection

✗ In-guest agents are easily detected✗ In-guest agents are vulnerable to rootkits

Move security stack outside of VMs!✔ Increased isolation✔ Complete view of the system

Virtual Machine Introspection

1. Isolation✔ Security stack outside of VM

2. Interpretation✔ LibVMI, Volatility, Rekall

3. Interposition✔ Xen on Intel & ARM

Virtual Machine Introspection

Use cases:● Better antivirus● IDS● IPS● Access control● Malware analysis!

http://drakvuf.com

Video available on YouTube at:

VMI Process injection into Windows 7 SP1 x64

http://drakvuf.com

Video available on YouTube at:

DRAKVUF Dynamic Malware Analysis

Rant about Dynamic Analysis

It's not a good augmentation to your firewall!● It's already too late by the time it finishes

It's not a good replacement of humans!● “Threat level: over 9000!!!”

It can help AntiVirus vendors but that doesn't really help anyone..

Focusing too much on a particular sample is a bad approach!

What you should use it for

● Identify attack surface

● Identify attacker infrastructure

● Create behavioral signature– Very noisy and very verbose– It's still better than dumbed down

and sparse– Yet to see how that is usable

Conclusion

● DRAKVUF supports large-scale, automated malware collection/analysis

● Malware authors will likely adapt by switching from sandbox detection to stall-tactics

● Dynamic analysis yet to find its right place● Stay tuned: TOTEM

Thanks!