{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:35:18Z","timestamp":1750221318385,"version":"3.41.0"},"reference-count":41,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2017,12,6]],"date-time":"2017-12-06T00:00:00Z","timestamp":1512518400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Department of Homeland Security, and Space and Naval Warfare Systems Center, San Diego","award":["N66001-10-C-2018"],"award-info":[{"award-number":["N66001-10-C-2018"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2018,2,28]]},"abstract":"<jats:p>Malware analysis relies heavily on the use of virtual machines (VMs) for functionality and safety. There are subtle differences in operation between virtual and physical machines. Contemporary malware checks for these differences and changes its behavior when it detects a VM presence. These anti-VM techniques hinder malware analysis. Existing research approaches to uncover differences between VMs and physical machines use randomized testing, and thus cannot guarantee completeness.<\/jats:p>\n          <jats:p>\n            In this article, we propose a detect-and-hide approach, which systematically addresses anti-VM techniques in malware. First, we propose\n            <jats:italic>cardinal pill testing<\/jats:italic>\n            \u2014a modification of red pill testing that aims to enumerate the differences between a given VM and a physical machine through carefully designed tests. Cardinal pill testing finds five times more pills by running 15 times fewer tests than red pill testing. We examine the causes of pills and find that, while the majority of them stem from the failure of VMs to follow CPU specifications, a small number stem from under-specification of certain instructions by the Intel manual. This leads to divergent implementations in different CPU and VM architectures. Cardinal pill testing successfully enumerates the differences that stem from the first cause. Finally, we propose\n            <jats:italic>VM Cloak<\/jats:italic>\n            \u2014a WinDbg plug-in which hides the presence of VMs from malware. VM Cloak monitors each execute malware command, detects potential pills, and at runtime modifies the command\u2019s outcomes to match those that a physical machine would generate. We implemented VM Cloak and verified that it successfully hides VM presence from malware.\n          <\/jats:p>","DOI":"10.1145\/3139292","type":"journal-article","created":{"date-parts":[[2017,12,6]],"date-time":"2017-12-06T21:23:15Z","timestamp":1512595395000},"page":"1-31","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":15,"title":["Handling Anti-Virtual Machine Techniques in Malicious Software"],"prefix":"10.1145","volume":"21","author":[{"given":"Hao","family":"Shi","sequence":"first","affiliation":[{"name":"USC\/Information Sciences Institute"}]},{"given":"Jelena","family":"Mirkovic","sequence":"additional","affiliation":[{"name":"USC\/Information Sciences Institute"}]},{"given":"Abdulla","family":"Alwabel","sequence":"additional","affiliation":[{"name":"USC\/Information Sciences Institute"}]}],"member":"320","published-online":{"date-parts":[[2017,12,6]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"0xEBFE. 2013. Fooled by Andromeda. Retrieved from http:\/\/0xebfe.net\/blog\/2013\/03\/30\/fooled-by-andromeda\/.  0xEBFE. 2013. Fooled by Andromeda. Retrieved from http:\/\/0xebfe.net\/blog\/2013\/03\/30\/fooled-by-andromeda\/."},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/971617.971646"},{"volume-title":"Networking and Distributed Systems Symposium (NDSS). ACM, 20--26","year":"2010","author":"Balzarotti Davide","key":"e_1_2_1_3_1"},{"volume-title":"HotBots","author":"Barford Paul","key":"e_1_2_1_4_1"},{"volume-title":"14th Annual EICAR Conference.","year":"2006","author":"Bayer Ulrich","key":"e_1_2_1_5_1"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.5555\/1247360.1247401"},{"volume-title":"Gabriel Negreira Barbosa, and Pedro Drimel Neto","year":"2012","author":"Branco Rodrigo Rubira","key":"e_1_2_1_7_1"},{"key":"e_1_2_1_8_1","doi-asserted-by":"crossref","unstructured":"Xu Chen Jon Andersen Z.Morley Mao Michael Bailey and Jose Nazario. 2008. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In DSN.  Xu Chen Jon Andersen Z.Morley Mao Michael Bailey and Jose Nazario. 2008. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In DSN.","DOI":"10.1109\/DSN.2008.4630086"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455779"},{"volume-title":"Attacks on virtual machine emulators. Symantec Security Response","year":"2006","author":"Ferrie Peter","key":"e_1_2_1_10_1"},{"key":"e_1_2_1_11_1","unstructured":"Peter Ferrie. 2008. Anti-Unpacker Tricks. Retrieved from http:\/\/vpn23.homelinux.org\/Anti-Unpackers.pdf.  Peter Ferrie. 2008. Anti-Unpacker Tricks. Retrieved from http:\/\/vpn23.homelinux.org\/Anti-Unpackers.pdf."},{"key":"e_1_2_1_12_1","unstructured":"ISC Tech Georgia. 2017. Open Malware. Retrieved from http:\/\/oc.gtisc.gatech.edu\/.  ISC Tech Georgia. 2017. Open Malware. Retrieved from http:\/\/oc.gtisc.gatech.edu\/."},{"key":"e_1_2_1_13_1","unstructured":"Hex-Rays. 2016. IDA: multi-processor Disassembler and Debugger. Retrieved from https:\/\/www.hex-rays.com\/products\/ida\/.  Hex-Rays. 2016. IDA: multi-processor Disassembler and Debugger. Retrieved from https:\/\/www.hex-rays.com\/products\/ida\/."},{"key":"e_1_2_1_14_1","unstructured":"Intel. 2016. Intel 64 and IA-32 Architectures Software Developers Manuals. Retrieved from http:\/\/www.intel.com\/content\/www\/us\/en\/processors\/architectures-software-developer-manuals.html.  Intel. 2016. Intel 64 and IA-32 Architectures Software Developers Manuals. Retrieved from http:\/\/www.intel.com\/content\/www\/us\/en\/processors\/architectures-software-developer-manuals.html."},{"key":"e_1_2_1_15_1","unstructured":"John P. John Alexander Moshchuk Steven D. Gribble and Arvind Krishnamurthy. 2009. Studying spamming botnets using botlab. In Networked Systems Design and Implementation.   John P. John Alexander Moshchuk Steven D. Gribble and Arvind Krishnamurthy. 2009. Studying spamming botnets using botlab. In Networked Systems Design and Implementation."},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/1655148.1655151"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2076732.2076790"},{"key":"e_1_2_1_18_1","unstructured":"Dhilung Kirat Giovanni Vigna and Christopher Kruegel. 2014. BareCloud: Bare-metal analysis-based evasive malware detection. In USENIX Security.   Dhilung Kirat Giovanni Vigna and Christopher Kruegel. 2014. BareCloud: Bare-metal analysis-based evasive malware detection. In USENIX Security."},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/2068816.2068854"},{"volume-title":"Bochs: A portable PC emulator for unix\/X. Linux Journal 29es","year":"1996","author":"Lawton Kevin P.","key":"e_1_2_1_20_1"},{"key":"e_1_2_1_21_1","doi-asserted-by":"crossref","unstructured":"Martina Lindorfer Clemens Kolbitsch and Paolo Milani Comparetti. 2011. Detecting environment-sensitive malware. In Research in Attacks Intrusions and Defenses.  Martina Lindorfer Clemens Kolbitsch and Paolo Milani Comparetti. 2011. Detecting environment-sensitive malware. In Research in Attacks Intrusions and Defenses.","DOI":"10.1007\/978-3-642-23644-0_18"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/2150976.2151012"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/1572272.1572303"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/1831708.1831730"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.42"},{"volume-title":"26th USENIX Security Symposium (USENIX Security 17)","year":"2017","author":"Ning Zhenyu","key":"e_1_2_1_26_1"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/1972551.1972554"},{"key":"e_1_2_1_28_1","unstructured":"Hao Shi Abdulla Alwabel and Jelena Mirkovic. 2014. Cardinal pill testing of system virtual machines. In USENIX Security 14.   Hao Shi Abdulla Alwabel and Jelena Mirkovic. 2014. Cardinal pill testing of system virtual machines. In USENIX Security 14."},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3019612.3019791"},{"key":"e_1_2_1_30_1","unstructured":"Michael Sikorski and Andrew Honig. 2012. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press.   Michael Sikorski and Andrew Honig. 2012. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press."},{"key":"e_1_2_1_31_1","unstructured":"Chengyu Song Paul Royal and Wenke Lee. 2012. Impeding automated malware analysis with environment-sensitive malware. In HotSec.   Chengyu Song Paul Royal and Wenke Lee. 2012. Impeding automated malware analysis with environment-sensitive malware. In HotSec."},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-89862-7_1"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23121"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICPADS.2011.78"},{"key":"e_1_2_1_35_1","unstructured":"Basis Technology. 2016. The Sleuth Kit. Retrieved from http:\/\/www.sleuthkit.org\/.  Basis Technology. 2016. The Sleuth Kit. Retrieved from http:\/\/www.sleuthkit.org\/."},{"key":"e_1_2_1_36_1","unstructured":"Virus Total. 2017. VirusTotal Web Site. Retrieved from https:\/\/www.virustotal.com\/en\/.  Virus Total. 2017. VirusTotal Web Site. Retrieved from https:\/\/www.virustotal.com\/en\/."},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2005.52"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.9"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/2151024.2151053"},{"key":"e_1_2_1_40_1","unstructured":"Oleh Yuschuk. 2013. OllyDbg. Retrieved from http:\/\/www.ollydbg.de.  Oleh Yuschuk. 2013. OllyDbg. Retrieved from http:\/\/www.ollydbg.de."},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.11"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3139292","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3139292","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T02:13:49Z","timestamp":1750212829000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3139292"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,12,6]]},"references-count":41,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2018,2,28]]}},"alternative-id":["10.1145\/3139292"],"URL":"https:\/\/doi.org\/10.1145\/3139292","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"type":"print","value":"2471-2566"},{"type":"electronic","value":"2471-2574"}],"subject":[],"published":{"date-parts":[[2017,12,6]]},"assertion":[{"value":"2016-09-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2017-09-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2017-12-06","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}