MAVMM: Lightweight and Purpose Built VMM for Malware Analysis

Malicious software is rampant on the Internet and costs billions of dollars each year. Safe and thorough analysis of malware is key to protecting vulnerable systems and cleaning those that have already been infected. Most current state-of-the-art analysis platforms run alongside the malware, increasing their detectability. This reduces the value of analysis because some malware is known to behave differently when being analyzed. Virtualization offers a compelling platform for malware analysis, with strong isolation and the ability to save and restore guest state. Current virtual machine monitors (VMMs), however, are not designed for malware analysis. Due to their complexity, they often fail to provide transparency and even expose vulnerabilities which could be exploited by the malware running inside guest system. We propose a lightweight VMM (namely MAVMM) that is designed specially for a single job: malware analysis. MAVMM does not implement unnecessary virtualization features commonly found in general purpose hypervisors, including virtual device emulation. We take advantage of hardware virtualization support to make MAVMM more simple, secure and transparent. In this paper, we describe the design and implementation of MAVMM, and the features that we can extract from programs running inside the guest OS. We evaluate our platform in three aspects: functionality, detectability and performance. We show that our system can extract useful information from malicious software, and that it is not susceptible to known virtualization detection techniques.