BareBox: efficient malware analysis on bare-metal

Jump to navigation Jump to search

(Publication) Google search: [1]

BareBox: efficient malware analysis on bare-metal
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2011 / 2011
Editor/Conference Annual Computer Security Applications Conference
Link barebox.pdf (Archive copy)
Author Dhilung Kirat, Giovanni Vigna, Christopher Kruegel
Type Conference paper"Conference paper" is not in the list (Blogpost, White paper, Scientific paper, Press article, Conference paper or presentation, Threat entry, Press release, Tech report) of allowed values for the "Type" property.


Present-day malware analysis techniques use both virtualized and emulated environments to analyze malware. The reason is that such environments provide isolation and system restoring capabilities, which facilitate automated analysis of malware samples. However, there exists a class of malware, called VM-aware malware, which is capable of detecting such environments and then hide its malicious behavior to foil the analysis. Because of the artifacts introduced by virtualization or emulation layers, it has always been and

will always be possible for malware to detect virtual environments. The definitive way to observe the actual behavior of VM-aware malware is to execute them in a system running on real hardware, which is called a "bare-metal" system. However, after each analysis, the system must be restored back to the previous clean state. This is because running a malware program can leave the system in an instable/insecure state and/or interfere with the results of a subsequent analysis run. Most of the available state-of-the-art system restore solutions are based on disk restoring and require a system reboot. This results in a significant downtime between each analysis. Because of this limitation, efficient automation of malware analysis in bare-metal systems has been a challenge. This paper presents the design, implementation, and evaluation of a malware analysis framework for bare-metal systems that is based on a fast and rebootless system restore technique. Live system restore is accomplished by restoring the entire physical memory of the analysis operating system from another, small operating system that runs outside of the target OS. By using this technique, we were able to perform a rebootless restore of a live Windows system, running on commodity hardware, within four seconds. We also analyzed 42 malware samples from seven different malware families, that are known to be "silent" in a virtualized or emulated environments, and all of them showed their true malicious behavior within our bare-metal analysis environment.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR1037,
   editor = {Annual Computer Security Applications Conference},
   author = {Dhilung Kirat, Giovanni Vigna, Christopher Kruegel},
   title = {BareBox: efficient malware analysis on bare-metal},
   date = {23},
   month = Jul,
   year = {2011},
   howpublished = {\url{}},