Paul Royal, principal researcher at botnet hunter Damballa Inc., will make, on Aug. 6, a Black Hat presentation on a tool called Azure, which will be published as an open-source proof of concept, available for free to enterprises or vendors.

Azure is an external hardware tool that is based on Intel VT, a hardware-assisted means of virtualizing the PC. It allows the user to create the equivalent of an x86 processor-based machine that can be used to detect and analyze malware at the instruction level or at the Windows API level.

The Intel VT-based approach will be harder to detect and evade than currently available malware analysis approaches, Royal says. Today, most analyzers rely on a "sandbox" approach, in which a safe "copy" of the operating system is used for analysis. However, many malware authors now have methods for detecting these "in-guest" sandboxes and avoiding them, he observes.

Other malware analyzers, such as QEMU, emulate the x386 architecture outside the operating system, which make them more difficult for hackers to detect. However, in order to operate, these tools generally require full-system emulation, and the emulated systems don't run quite the same way that "live" PCs do. Increasingly, attackers are able to detect the behavior of emulated systems and set their malware to exit before it's captured by the analyzer.

Azure uses Intel VT, which operates outside the operating system but doesn't require full-system emulation, Royal says. Instead, it creates an "equivalent" of the physical processor which can be safely infected with malware for analysis without tipping off the malware that it's attacking a virtual environment.

Read the entire article from darkReading.