Guaranteeing transparency of in-guest malware detection tools and virtualization environments

OData support
Dr. Félegyházi Márk
Department of Networked Systems and Services

The number of malicious softwares have been growing rapidly over the last couple of years. Analyzing each unique sample manually isn't possible in practice. Due to this fact anti-virus vendors are creating automated analysis environments utlizing recent virtualization technology. These system are capable of rapidly analyzing massive number of malware samples.

Authors of malicious software know very well that antivirus vendors uses automated analysis system that relying on virtual machines.

Hence, they are creating their software with functionalities that aims at detecting the virtual environment and in-guest analysis tools. If it finds artifacts of analysis environments, it will pretend to be a benign application in order to evade detection.

This thesis aims to enumerate current detection techniques, and tries to mitigate them. To achieve this, I designed and implemented two software where the first one is capable of detecting VMware Workstation and ESX/ESXi virtualization platforms in various ways, and the second one aims at hiding virtualization artifacts caused by in-guest malware detection tools.


Please sign in to download the files of this thesis.