From the lab - VM introspection

From the lab - VM introspection

Malware analysis has become expensive from a security operations point of view, as it usually involves setting up environments, then ‘snapshotting’ various images and installing numerous monitoring tools for each instance of a malware infection. For sophisticated malware such as bootkits, rootkits et al., this can be even more cumbersome. Advanced types of malware need the analyst to have significant expertise as most well known detectors, (such as Anti-Virus or HIPS) are not reliably able identify these infections.

In this article Rahul Kashyap looks at the unearthing and profiling sophisticated x64 bit kernel mode bootkits that continue to leverage holes on Windows 7 to bypass protection mechanisms like windows Patchguard to persist and infect machines. This article describes some of the holes that these bootkits leverage with in-depth details and then will present some new emerging analysis technologies that leverage hypervisor enabled VM introspection.