Understanding and Detecting Virtualization-based Analysis Environments on ARM

Astract:

Researchers rely on virtualization-based analysis, to automatically analyze malware samples. To prevent this analysis, adversaries implement checks into their malicious code, which detect the environment it is executing in. When detecting an artificial environment, any suspicious behavior is stopped, which prevents the malware from being analyzed. This thesis shows commonly used detection methods and introduces a new approach, using hardware functionality of the ARM architecture. Furthermore, we discuss and implement a single stepping mechanism, which is a commonly used technique to trace a VM execution. Our implementation will extend the Xen hypervisor, as it does not support single stepping for ARM yet. This thesis also shows that we are able to detect this tracing functionality and presents possible techniques to prevent malware from detecting our single stepping mechanism.