From the lab - VM introspection
From the lab - VM introspection
Malware analysis has become expensive from a security operations point of view, as it usually involves setting up environments, then ‘snapshotting’ various images and installing numerous monitoring tools for each instance of a malware infection. For sophisticated malware such as bootkits, rootkits et al., this can be even more cumbersome. Advanced types of malware need the analyst to have significant expertise as most well known detectors, (such as Anti-Virus or HIPS) are not reliably able identify these infections.
In this article Rahul Kashyap looks at the unearthing and profiling sophisticated x64 bit kernel mode bootkits that continue to leverage holes on Windows 7 to bypass protection mechanisms like windows Patchguard to persist and infect machines. This article describes some of the holes that these bootkits leverage with in-depth details and then will present some new emerging analysis technologies that leverage hypervisor enabled VM introspection.
Find out more - subscribe to DFM today and read the full article. Or if you're a subscriber, login and read the article online.