Virtual Machine Introspection in Malware Analysis

The word “introspection” generally refers to the observation and examination of one’s own mental and emotional state. It is considered as the act of looking at oneself. However, the introspection of virtual machines is the art of monitoring virtual machines’ activities from the hypervisor and accessing them without being inside. No agent is installed on the virtual machine; everything is done from the outside.

One of the main reasons for using introspection in malware detection is that malwares using advanced techniques such as Rootkits are not detected using traditional automated malware-detection systems. The other reason is the advanced features that this technology provides, which allows the user to have a deep insight into each action happening in the virtual machine.

Thanks to introspection technology, there is no need to be part of the malware environment to analyze it: the behavior of the processes to be monitored will be realized outside the virtual machine, from the hypervisor. In addition to that, malwares that use debugger detection techniques will not detect any debugger, because the introspection system only interacts with the virtual machine’s memory and in no way will attach to the processes launched on the machine. Similarly, it is possible to mislead a malware employing sandbox detection techniques.

As a result, it can’t be denied that the application of introspection to malware analysis is much better than traditional automated-analysis technologies.

Let’s discuss some aspects of virtual machine introspection.

Types of Hypervisors

We generally consider two types of hypervisors:

• Native hypervisor: Also known as Type-1 hypervisor or “Bare Metal.” This type of hypervisor works directly on the hardware of the machine to control and manage virtual machines. Examples of Type-1 hypervisors include Xen and KVM.
• Hosted hypervisor: Also known as Type-2 hypervisor or “Hosted.” This type of hypervisor runs inside (Read more...)