악성코드 분석을 위한 Emulab 활용 방안 연구

DOI QR코드

DOI QR Code

이만희;석우진
Lee, Man-hee;Seok, Woo-jin

  • 투고 : 2015.10.07
  • 심사 : 2015.12.07
  • 발행 : 2016.02.29

초록

빠르게 증가하는 악성코드를 효율적으로 분석하기 위해 가상화 환경이 많이 사용되고 있다. 하지만 이를 인지한 악성코드 제작자들은 가상화 환경 탐지 기술을 이용하여 악성코드가 가상화 환경에서 구동되는 것을 판단하면 악성행위를 수행하지 않는 등의 분석 회피 기술을 적용하고 있다. 분석 회피 기술을 무력화하기 위한 연구도 계속되고 있지만 몇 가지 가상화 환경 탐지 기술로써 악성코드 분석은 상당히 저해를 받는다. 미국 Utah 대학에서 개발한 Emulab은 실제 시스템을 연구자가 원하는 대로 실시간으로 할당할 수 있다. 본 연구에서는 이 Emulab을 악성코드 분석에 어떻게 활용할 수 있는지 알아보고 그 방안을 제시한다.

키워드

Cyber security;Emulab;Virtualization;Malware analysis

참고문헌

  1. 2014 Malware Damages, ITWORLD, http://www.itworld.co.kr/news/86687
  2. Malware creation increasing, Trojans most popular attack, TrendMicro, http://blog.trendmicro.com/malware-creation-increasing-trojans-popular-attack/
  3. New malware numbers jump sharply in 2014, DIGITAL TRENDS, http://www.digitaltrends.com/computing/pc-malware -rise-warn-security-firms/
  4. R.L. Sites, A. Chernoff, M.B. Kirk, M.P. Marks, and S.G. Robinson, "Binary translation," Communications of the ACM, vol. 36, no. 2, pp. 69-81, Feb. 1993.
  5. Joel Auslander, Matthai Philipose, Craig Chambers, Susan J. Eggers, Brian N. Bershad, "Fast, effective dynamic compilation," Proceedings of the ACM SIGPLAN 1996 conference on Programming language design and implementation, pp. 149-159, May 1996.
  6. Intel Virtualization Technology, Intel Corp., http://www.intel.com/content /www/us/en/virtualization/virtualization-technology/intel-virtualization-technolo gy.html
  7. AMD Virtualization, AMD, http://www.amd.com/en-us/solutions/servers/virtualization
  8. P. Ferrie, "Attacks on virtual machine emulators," Symantec Security Response, Dec. 2006
  9. On the Cutting Edge: Thwarting Virtual Machine Detection, http:// handlers.sans.org/tliston/ThwartingVMDetection_L iston_Skoudis.pdf, 2006
  10. Blue Pill Project, http://web.archive.org/web/20080418123748/http://www.blue pillproject.org/
  11. Utah Emulab; Network Emulation Testbed Home, http://www.emulab.net/
  12. KISTI Emulab; Network Emulation Test bed Home, http://www.emulab.kreonet.net/
  13. M. Lee and W. Seok, "Research on the Trend of Utilizing Emulab as Cyber Security Research Framework," Journal of the Korea Institute of Information Security and Cryptology, 23(6), pp. 1169-1180, Dec. 2013. https://doi.org/10.13089/JKIISC.2013.23.6.1169
  14. Using the RDTSC Instruction for Performance Monitoring, Intel Corp., https://www.ccsl.carleton.ca/-jamuir/rdtscpm1.pdf
  15. Thompson, Christopher, Maria Huntley, and Chad Link, "Virtualization detection: New strategies and their effectiveness," http://www-users.cs.umn.edu/cthomp/papers/vmm-detect-201.
  16. D. Quist and V. Smith, "Detecting the Presence of Virtual Machines Using the Local Data Table," http://www. offensivecomputing.net/files/active/0/vm.pdf
  17. X. Chen, J. Andersen, Z. Mao, M. Bailey, and J. Nazario, "Towards an understanding of anti-virtualization and anti- debugging behavior in modern malware," Proceedings of Dependable Systems and Networks (DSN), pp. 177-186, June 2008.
  18. Pafish, https://github.com/a0rtega/pafish
  19. M. Lindorfer, C. Kolbitsch, and P.M. Comparetti. "Detecting Environment - Sensitive Malware," Proceedings of Symposium on Recent Advances in Intrusion Detection (RAID), pp. 338-357, Sep. 2011.
  20. N. M. Johnson, J. Caballero, K. Z. Chen, S. McCamant, P. Poosankam, D. Reynaud, and D. Song, "Differential slicing: Identifying causal execution differences for security applications," Proceedings of IEEE Symposium on Security and Privacy, pp. 347-362, May 2011.
  21. D. Kirat, G. Vigna, and C. Kruegel, "Barecloud: bare-metal analysis-based evasive malware detection," Proceedings of the 23rd USENIX conference on Security Symposium, pp. 287-301, Aug. 2014.
  22. D. Kirat and G. Vigna, "MalGene: Automatic Extraction of Malware Analysis Evasion Signature," Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 769-780, Oct. 2015.

과제정보

연구 과제번호 : 기관고유사업비

연구 과제 주관 기관 : 한국과학기술정보연구원