Ether: Malware Analysis via Hardware Virtualization Extensions

  • Paper
  • Source Code
  • Malware
  • Contact
  • Unpack Service

Paper

Ether: Malware Analysis via Hardware Virtualization Extensions

Artem Dinaburg (Georgia Institute of Technology and Damballa, USA),
Paul Royal (Damballa and Georgia Institute of Technology, USA),
Monirul Sharif (Georgia Institute of Technology and Damballa, USA),
and Wenke Lee (Damballa and Georgia Institute of Technology, USA)

Slides

The slides used during the ACM CCS 2008 presentation are available here.

About Ether

Ether is a malware analysis framework which leverages hardware virtualization extensions (specifically Intel VT) to remain transparent to malicious software.

Updates

November 21, 2009: The ether-devel mailing list is now active to coordinate further Ether development and to better aid those who have questions about Ether.

June 1, 2009: The Ether unpack service has launched! Simply upload an executable, and select for how long to attempt unpack-execution detection. The results, including links to any extracted hidden code layers, will be emailed to you when processing is complete. As this service is still in the testing phase, service availability and result retention cannot be guaranteed.

April 7, 2009: Ether 0.1 has been released. Many thanks to Danny Quist and Min Gyung Kang for testing and patches. See the changelog for changes.