Dynamic malware analysis is an important method to analyze malware. The most important tool for dynamic malware analysis is debugger. However, because debuggers are originally built by software developers to debug legitimate software, they have some significant flaws against malware. First of all, malware can easily detect the presence of debugger with various tricks. Another fundamental problem is that because malware run in the same security domain with debugger, they can potentially tamper with the debugger, and prevent it from functioning correctly. Unfortunately, all of the above drawbacks are unfixable in the current architecture.
This research presents a new debugger named Virt-ICE, which is designed to address the problems of current malware debuggers. Using virtualization technology, Virt-ICE is totally invisible to malware, thus renders most available anti-debugging techniques useless. Thanks to the isolation provided by virtual machine, Virt-ICE is out of the reach of malware, and cannot be tampered with. Another advantage of Virt-ICE is that unlike many other popular debuggers, it can deal with ring-0 code, therefore it has no issue handling kernel rootkits. Virt-ICE also offers a novel event-based method to intercept malware execution, which can help to improve the debugging efficiency. Finally, Virt-ICE includes some built-in automatic malware analysis facilities to give the analysts more information on malware, so they can reduce the time on the job by focusing their debugging efforts on important points.
We conclude the talk with some live demos to show how Virt-ICE can debug some real malware.
Quynh Nguyen Anh is a researcher at The National Institute of Advanced Industrial Science and Technology (AIST), Japan. He interests include operating system, virtualization, digital forensic, intrusion detection, malware analysis and vulnerability. He published a lot of academic papers in those fields, and loves to get around the world to present his research results in various hacking conferences. Quynh obtained his PhD degree in computer science from Keio university, Japan. He is also a member of Vnsecurity, a pioneer security research group in Vietnam.