Improving Antivirus Scanner Accuracy with Hypervisor Based Analysis

DEF CON 18

Presented by: Danny Quist
Date: Saturday July 31, 2010
Time: 10:00 - 10:50
Location: Grande E-F
Track: Track 5

This text will be used for the website and printed materials. In a nutshell, what your presentation will cover. Attendees will read this to get an idea of what they should know before your presentation, and what they will learn after. Use these paragraphs to tell people how technical the talk is, what tools will be used, what materials to read in advance to get the most out of your presentation. This abstract is the primary way people will be drawn to your session. Presentations that are submitted without abstracts (eg that have only ppt or white papers attached or only point to a URL) will not be considered.

Modern malware protection systems thoroughly and effectively break modern antivirus software. Simple obfuscations reduce the effectiveness of a scanner, and have been employed by malware authors to stay one step ahead of your AV software. The effect is that they are rendered useless, and you are at more risk. This talk will outline the usage of a hypervisor based deobfuscation engine that greatly improves the effectiveness of AV software. I will show how to make an end-run around some of the tricks that malware authors employ, producing better scanning results and defenses. The techniques we will show are hypervisor analysis, rebuilding imports from the Windows kernel data structures, and a new and improved original entry point detection system. Using techniques inspired by offensive rootkits, we have improved AV detection by as high as 45%.

Danny Quist

Danny Quist is the CEO and founder of Offensive Computing, LLC, an open malware research site. He works on automated analysis methods for malware using software and hardware assisted techniques. He holds a patent for a network quarantine system. His research interests include reverse engineering and exploitation methods. Danny holds a Ph.D. in computer science from the New Mexico Institute of Mining and Technology.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats