Transparent and Precise Malware Analysis Using Virtualization: From Theory to Practice

Dynamic analysis is an important technique used in malware analysis and is complementary to static analysis. Thus far, virtualization has been widely adopted for building fine-grained dynamic analysis tools and this trend is expected to continue. Unlike User/Kernel space malware analysis platforms that essentially co-exist with malware, virtualization based platforms benefit from isolation and fine-grained instrumentation support. Isolation makes it more difficult for malware samples to disrupt analysis and fine-grained instrumentation provides analysts with low level details, such as those at the machine instruction level. This in turn supports the development of advanced analysis tools such as dynamic taint analysis and symbolic execution for automatic path exploration. The major disadvantage of virtualization based malware analysis is the loss of semantic information, also known as the semantic gap problem. To put it differently, since analysis takes place at the virtual machine monitor where only the raw system state (e.g., CPU and memory) is visible, higher level constructs such as processes and files must be reconstructed using the low level information. The collection of techniques used to bridge semantic gaps is known as Virtual Machine Introspection. Virtualization based analysis platforms can be further separated into emulation and hardware virtualization. Emulators have the advantages of flexibility of analysis tool development and efficiency for fine-grained analysis; however, emulators suffer from the transparency problem. That is, malware can employ methods to determine whether it is executing in an emulated environment versus real hardware and cease operations to disrupt analysis if the machine is emulated. In brief, emulation based dynamic analysis has advantages over User/Kernel space and hardware virtualization based techniques, but it suffers from semantic gap and transparency problems. These problems have been exacerbated by recent discoveries of anti-emulation malware that detects emulators and Android malware with two semantic gaps, Java and native. Also, it is foreseeable that malware authors will have a similar response to taint analysis. In other words, once taint analysis becomes widely used to understand how malware operates, the authors will create new malware that attacks the imprecisions in taint analysis implementations and induce false-positives and false-negatives in an effort to frustrate analysts. This dissertation addresses these problems by presenting concepts, methods and techniques that can be used to transparently and precisely analyze both desktop and mobile malware using virtualization. This is achieved in three parts. First, precise heterogeneous record and replay is presented as a means to help emulators benefit from the transparency characteristics of hardware virtualization. This technique is implemented in a tool called V2E that uses KVM for recording and TEMU for replaying and analysis. It was successfully used to analyze real-world anti-emulation malware that evaded analysis using TEMU alone. Second, the design of an emulation based Android malware analysis platform that uses virtual machine introspection to bridge both the Java and native level semantic gaps as well as seamlessly bind the two views together into a single view is presented. The core introspection and instrumentation techniques were implemented in a new analysis platform called DroidScope that is based on the Android emulator. It was successfully used to analyze two real-world Android malware samples that have cooperating Java and native level components. Taint analysis was also used to study their information ex-filtration behaviors. Third, formal methods for studying the sources of false-positives and false-negatives in dynamic taint analysis designs and for verifying the correctness of manually defined taint propagation rules are presented. These definitions and methods were successfully used to analyze and compare previously published taint analysis platforms in terms of false-positives and false-negatives

MicroRNA profiling study reveals MIR-150 in association with metastasis in nasopharyngeal carcinoma

© 2017 The Author(s). MicroRNAs (miRNAs) are small non-coding RNAs that play a crucial role in pathogenesis of human cancers. Several miRNAs have been shown to involve in nasopharyngeal carcinoma (NPC) pathogenesis through alteration of gene networks. A global view of the miRNA expression profile of clinical specimens would be the best way to screen out the possible miRNA candidates that may be involved in disease pathogenesis. In this study, we investigated the expression profiles of miRNA in formalin-fixed paraffin-embedded tissues from patients with undifferentiated NPC versus non-NPC controls using a miRNA real-time PCR platform, which covered a total of 95 cancer-related miRNAs. Hierarchical cluster analysis revealed that NPC and non-NPC controls were clearly segregated. Promisingly, 10 miRNA candidates were differentially expressed. Among them, 9 miRNAs were significantly up-regulated of which miR-205 and miR-196a showed the most up-regulated in NPC with the highest incidence percentage of 94.1% and 88.2%, respectively, while the unique down-regulated miR-150 was further validated in patient sera. Finally, the in vitro gain-of-function and loss-of-function assays revealed that miR-150 can modulate the epithelial-mesenchymal-transition property in NPC/HK-1 cells and led to the cell motility and invasion. miR-150 may be a potential biomarker for NPC and plays a critical role in NPC tumourigenesis.Link_to_subscribed_fulltex

Hepatitis B virus reactivation in seronegative occult hepatitis B patient receiving ibrutinib therapy

Abstract Background Ibrutinib is a Bruton’s tyrosine kinase (BTK) inhibitor approved for the treatment for several mature B-cell malignancies. Reactivation of hepatitis B virus (HBV) is a well-described complication in patients with chronic HBV infection or prior HBV exposure undergoing cytotoxic or immunosuppressive chemotherapy for hematologic malignancies. This phenomenon has been frequently reported with rituximab. However, published data on the risk of HBV reactivation induced by ibrutinib are scarce. Cases of HBV reactivation in hematologic patients receiving ibrutinib therapy have recently been described, but limited only to overt hepatitis B patients or seropositive occult hepatitis B patients. Case presentation We report the first case of HBV reactivation during ibrutinib treatment in an asymptomatic 82-year-old woman with seronegative occult hepatitis B patient (i.e., negative for HBsAg, anti-HBc and anti-HBs). Four months after ibrutinib treatment, her liver function test (LFT) was deranged, with seroconversion to HBsAg positivity. Serum hepatitis B virus DNA was quantified to be 1.92 × 108 IU/ml. Antiviral treatment was initiated, and viral load was gradually suppressed with improvement in LFT. Conclusions Our case illustrated that in populations with a high incidence of HBV exposure, systematic screening for HBV exposure is essential prior to ibrutinib treatment, followed by serial monitoring of serologic and molecular markers of hepatitis B. There is a need for an international consensus to support the recommendation of antiviral prophylaxis against HBV reactivation in patients using ibrutinib

Epigenetic inactivation of the MIR129-2 in hematological malignancies

Background: MIR129-2 has been shown to be a tumor suppressor microRNA hypermethylated in epithelial cancers. Patients and methods: Epigenetic inactivation of MIR129-2 was studied by methylation-specific PCR (MSP) in 13 cell lines (eight myeloma and five lymphoma), 15 normal controls and 344 primary samples including acut

Hiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection

ARM has become the leading processor architecture for mobile and IoT devices, while it has recently started claiming a bigger slice of the server market pie as well. As such, it will not be long before malware more regularly target the ARM architecture. Therefore, the stealthy operation of Virtual Machine Introspection (VMI) is an obligation to successfully analyze and proactively mitigate this growing threat. Stealthy VMI has proven itself perfectly suitable for malware analysis on Intel's architecture, yet, it often lacks the foundation required to be equally effective on ARM.In this paper, we closely examine both ARMv7 and ARMv8 architectures to identify shortcomings and develop novel techniques necessary for effective virtualization-based dynamic malware analysis. We implement and open-source a prototype, named altp2m, for the open source Xen Project hypervisor on ARM. Compared to traditional VMI approaches, our solution enables hypervisors to dynamically allocate and switch among multiple guest memory views by utilizing the Second Level Address Translation (SLAT). Further, we implement an alternative single-stepping mechanism and leverage the execute-only capability of the SLAT mechanism on ARMv8 to enable stealthy in-guest instrumentation. To target also ARMv7-based systems, we manipulate the TLB organization through altp2m to coordinate the guest kernel execution flow. To demonstrate the effectiveness of our system, we combine all building blocks of our work to form the foundation for the dynamic malware analysis system DRAKVUF on ARM. Overall, our experiments reveal that our novel dynamic analysis system is stealthy, efficient, and is perfectly suited to assist malware analysts to quickly comprehend the behavior and reduce the mitigation time of malware targeting ARM