METHOD FOR MASKING A VM FROM BEING DETECTED BY MALICIOUS SOFTWARE
Author(s): Vishnevskaya Tatiana Ivanovna, Makarenko Oleg Konstantinovich
Rubric: Information technology
Release: 2020-2 (31)
Keywords: information security, masking, QEMU, KVM, virtual machine, malware
Annotation: The article a method of masking for a virtual machine, which is launched utilizing virtualization systems QEMU and KVM are proposed. The aim of the work is to create a method for masking a virtual machine, using which the detection of a virtual machine will be complicated. It is shown that the cost of CPU time to exit and return to the virtualization system is the most characteristic feature that allows malware to detect the use of a VM. A method for masking a VM is proposed based on counting the number of actually passed ticks of the host processor and replacing it when returning to the VM. Algorithms of evading tests for virtual environment presence are described. The result of the masking method are presented. The relevance of the proposed method implementation is given. Possible application scenarios for the method are also described. The proposed method of masking the virtual environment can be used to analyze the behavior of malware. As a result of applying the developed masking method, programs could not detect the presence of a virtual environment. The obtained research results will be useful for developers of malware analysis tools.
Bibliography: Vishnevskaya TA.IV., Makarenko OL.KO. METHOD FOR MASKING A VM FROM BEING DETECTED BY MALICIOUS SOFTWARE // Education Resources and Technologies. – 2020. – № 2 (31). – С. 48-57. doi: 10.21777/2500-2112-2020-2-48-57