Research And Implementation On Malware Behavior Analysis System Based Virtualization

In recent years,with the increasing scale of Internet and population of users,newapplications and business models are also emerging on the Internet.Meanwhile,the thenumber of attacks against internet is gradually increasing,the type and the number ofmalwares which spread on the Internet are gradually rising and malwares self-protection isconstantly enhancing.Gradually expanding security threat not only allows the user to sufferhuge economic losses, but also makes the country face an unprecedented level of informationsecurity issues.To reduce or eliminate these security threats depends on security researcherswho should do the rapid and effective analysis of malicious codes and extract the fingerprintand behavioral characteristics of malware to defense the malicious codes’ attacks.Due to rapid increasing of malicious code and its self-protection ability, there is anurgent need for a fast and effective malicious code analysis system. The static analysismethod for malicious code can get the viewing of multiple malicious code paths, but it is loweffective and complexity. With the developing of malicious code anti-analysis techniques, it ishard to meet the need for mass malicious samples analysis. Dynamic behavior analysis,extracting malicious code behavior by actually running it, is the mainly method for maliciouscode analysis. Dynamic behavior analysis methods are not influenced by anti-disassembly andpacker. Current malicious code behavior analysis systems based on virtual machine cananalysis automatically. But they only support single-task and need much time for systemrestore. So they cannot meet the current needs. Limited by the implementation of virtualmachine, some anti-virtualization malicious code may evade analysis. Although behavioranalysis systems based on sandbox have fast analytical ability, it cannot handle anti-trackingand anti-virtualization malicious code because of its low privilege level and coexistence in thesame environment with malicious code. With the help of hardware-assisted virtualization, thetransparency of analysis system is enhanced. But when facing a large number of malicioussamples, it is still powerless.In this paper, base on study of technology for current malware analysis system,wepresent a approach to malware analysis which could analyze mass malwares rapidly andefficiently. This approach uses Feather-Weight Virtual Machine Sandbox,it can restore analysis environment quickly and analyze malicious samples in parallel.But sandboxtechnology lack of transparency for analying malware,for improve the transparency of thewhole malware analysis system,we also used hardware-assisted virtualization technology tocompensate for the shortcoming of transparency for sandbox.At the same time, in order toverify the validity of this approach,in this paper,we designed and implemented a newmalware analysis system, it combined the advantages of sandbox’s rapid analysis andhardware-assisted vitualization technology’s high transparency.it also have ability toautomatically collect and analyze malicious codes.Finally, The approach is proved to beeffective through the experiment that compared anther malware analysis system.