Eliminating the Observer Effect in Malware Analysis

May 12th 2016

We have a mission at VMRay to build the ultimate malware Panopticon with a twist. The original 18th century Panopticon design was conceived as a way to monitor inmates in an institution in such a way that they could never know where or when they were being observed – so they would be forced to always stay on their best behavior. By contrast, we want the opposite – like the Panopticon, observe behavior while undetected, but in such a way malware assumes it is never being observed and does its worst.

 

 

To achieve that, we need to overcome a phenomena called the Observer_Effect :
“In science, the term observer effect refers to changes that the act of observation will make on a phenomenon being observed. This is often the result of instruments that, by necessity, alter the state of what they measure in some manner.”
The Observer Effect is frequently conflated with but unrelated to, both the Heisenberg Uncertainty Principle and Schrödinger’s cat .

We’ll illustrate the difference with a funny cat video:

 

 

The Observer Effect describes neatly perhaps the biggest challenge in threat detection and analysis. As the malware arms race makes anti-analysis techniques commonplace in malware, we as security vendors are obliged to continually up our game.
We want to simultaneously meet 3 criteria:

  1. Analyze quickly, and at scale
  2. Analyze accurately, and completely 
  3. Infer from that analysis a correct determination of maliciousness

We’ve covered in earlier blog posts all three of these points. For example these posts on hyperscaling, analyzing environment-sensitive malware and automating custom VM setups. Overcoming the Observer Effect is critical to the 2nd point regarding accurate, complete analysis. Of course, if it was easy everyone would be doing it and we wouldn’t need to blog about it! There are traditionally two main approaches to dynamic malware analysis:

  1. Using emulation
  2. Instrument a native OS by hooking

We’ve written extensively about each approach and the contrast with our own agentless hypervisor-based approach, in particular in our whitepaper comparing and contrasting each.
Emulation-based analysis can provide a robust, complete analysis. However, by its very nature, fully and accurately emulating all aspects of a computing environment (OS, memory, etc) is difficult and fraught with risk. It is also very slow and doesn’t scale.
Hooking-based analysis is where a target analysis machine is instrumented by loading a user-mode or kernel-mode driver that ‘hooks’ or intercepts communication between the process and the OS and tracks other activity and system changes. It is the most widely-adopted mainstream approach for several reasons, one being the relative simplicity of injecting a hook into a native target operating system instead of emulation of the entire CPU instruction set, memory and so forth.
Both approaches by definition modify the target analysis environment and hence suffer from the Observer Effect. The malware author, with enough effort and technical skill, will invariably be able to code malware that detects the analysis environment and subsequently modify its behavior to thwart analysis.
With VMRay, we’ve taken an approach quite different than hooking or emulation. By monitoring at the hypervisor level, VMRay can analyze target virtual machines (VMs) that run completely unmodified – not a single bit is changed.

Of course the analysis machine is by definition a VM since it must always run on a hypervisor. We can take steps to hide the presence of a VM, aided by tests like PaFish. Fortunately, even in the event malware successfully detected a virtualized environment, with ubiquitous virtualization of corporate desktops and servers that is no longer a reliable indicator of an analysis environment.
Agentless hypervisor-based monitoring represents the best approach to overcoming the Observer Effect. By neither emulating or modifying the target analysis environment, this approach precludes any attempt by context-aware malware to detect an analysis environment and thwart analysis.
Nevertheless, such malware may still detect analysis environments that don’t look ‘real’ or match the mix of applications and configurations expected on the intended target. That’s a whole other topic for another day!
Follow us on Twitter @VMRay to get updates on future blog posts like this.