Improving Scalable, Automated Baremetal Malware Analysis presented at CSAWthreads 2014

by Paul Royal, Adam Allred,

Summary : The detection of virtualized malware analysis environments has become increasingly popular and commoditized. Sophisticated virtualization detection techniques are now available to any novice cyber criminal. As a result, multiple analysis environments have been crafted that attempt to address virtualization-based transparency shortcomings. One such response has involved the creation of baremetal malware analysis systems. The challenge of baremetal malware analysis lies in the ability to reliably automate the processing of large volumes of malware despite reduced control over the analysis environment as compared to traditional virtualized systems. In this presentation we examine NVMTrace, an open source baremetal malware analysis framework. To improve the state of the art, we describe enhancements that both further increase the system's transparency and augment its reliability.
Adam Allred is a Research Technologist in the Georgia Tech Information Security Center (GTISC) and a candidate of the College of Computing's MS Information Security degree program. In these roles, he manages the center's technology infrastructure and participates in various applied research initiatives. His current research focus is the automated analysis of malicious software.