Field of Invention
The present invention relates generally to virtual machines and more specifically to malware detection in virtual machines using a hypervisor.
Description of the Related Art
As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is the use of virtual machines (VM). A VM is a software representation of a physical computer system.
One important feature in VMs is security and more specifically detection of viruses or rootkits. A rootkit is a malicious program that hides the presence of malware in the system by operating at the highest privilege level, which is where the operating system (OS) itself runs. Rootkits subvert the OS by intercepting and modifying low-level application programming interfaces (APIs) and system functions, thus hiding their presence and making it difficult to find or detect them.
Therefore, it is critical that these rootkits be identified before they work their way through the layers of the operating system, at which point detection would require special methods like behavioral-based analysis, signature scanning, difference scanning and memory dump analysis.
A kernel level rootkit may have characteristics of Direct Masquerades in that it can consist of malicious system calls pretending to be normal system calls. It may also have characteristics of Simple Masquerades in that it can masquerade as system calls that appear to something else that what they really are. Kernel level rootkits may be considered Environmental Masquerades in that they are already running and cannot be easily identified by computer users.
Detecting kernel modules is particularly difficult because a subverted or compromised OS cannot be trusted to find unauthorized modifications to itself.
Typically, virtual machines detect rootkits using an antivirus running on the guest machine. An antivirus relies on an OS to detect a rootkit. However, one problem with that system is that a rootkit can damage the OS, so relying on the OS to detect the rootkit is a problem with the current solutions. Rootkits can be particularly difficult to detect since they are designed to be hidden.
Since rootkits are often specifically designed to compromise the OS or to go undetected, it is often difficult to detect rootkits using the guest antivirus of the guest OS.