Paper
Ether: Malware Analysis via Hardware Virtualization Extensions
Artem Dinaburg (Georgia Institute of Technology and Damballa, USA),
Paul Royal (Damballa and Georgia Institute of Technology, USA),
Monirul Sharif (Georgia Institute of Technology and Damballa, USA),
and Wenke Lee (Damballa and Georgia Institute of Technology, USA)
Slides
The slides used during the ACM CCS 2008 presentation are available here.
About Ether
Ether is a malware analysis framework which leverages hardware virtualization extensions (specifically
Intel VT) to remain transparent to malicious software.
Updates
November 21, 2009: The
ether-devel mailing list is now active to coordinate further Ether development and to better aid those who have questions about Ether.
June 1, 2009: The Ether unpack service has launched! Simply
upload an executable, and select for how long to attempt unpack-execution detection. The results, including links to any extracted hidden code layers, will be emailed to you when processing is complete. As this service is still in the testing phase, service availability and result retention cannot be guaranteed.
April 7, 2009:
Ether 0.1 has been released. Many thanks to
Danny Quist and Min Gyung Kang for testing and patches. See the
changelog for changes.