troopers15 lightning talk: vmi & drakvuf
TRANSCRIPT
Virtual Machine Introspection&DRAKVUF Dynamic Malware Analysis
Tamas K Lengyel & Thomas Kittel
3/18/2015
Agenda
1. Why VMI?
2. DRAKVUF
3. Rant
Virtual Machine Introspection
✗ In-guest agents are easily detected✗ In-guest agents are vulnerable to rootkits
Move security stack outside of VMs!✔ Increased isolation✔ Complete view of the system
Virtual Machine Introspection
1. Isolation✔ Security stack outside of VM
2. Interpretation✔ LibVMI, Volatility, Rekall
3. Interposition✔ Xen on Intel & ARM
Virtual Machine Introspection
Use cases:● Better antivirus● IDS● IPS● Access control● Malware analysis!
http://drakvuf.com
Video available on YouTube at:
VMI Process injection into Windows 7 SP1 x64
http://drakvuf.com
Video available on YouTube at:
DRAKVUF Dynamic Malware Analysis
Rant about Dynamic Analysis
It's not a good augmentation to your firewall!● It's already too late by the time it finishes
It's not a good replacement of humans!● “Threat level: over 9000!!!”
It can help AntiVirus vendors but that doesn't really help anyone..
Focusing too much on a particular sample is a bad approach!
What you should use it for
● Identify attack surface
● Identify attacker infrastructure
● Create behavioral signature– Very noisy and very verbose– It's still better than dumbed down
and sparse– Yet to see how that is usable
Conclusion
● DRAKVUF supports large-scale, automated malware collection/analysis
● Malware authors will likely adapt by switching from sandbox detection to stall-tactics
● Dynamic analysis yet to find its right place● Stay tuned: TOTEM
Thanks!