HTML5 Performance Object

From ema
Jump to: navigation, search
EMA ID: ema-1091
Description: In three browser families, it is possible to extract the frequency of the Windows performance counter frequency, using standard HTML and Javascript. This value can then be used to detect whether the code is being executed in a virtual machine, by detecting two specific frequencies commonly used in virtual but not physical machines.
Associated Behavior: virtual machine detect & evade
Privilege Level: User space
Supporting Details:
Applicable browsers:
  • Microsoft Edge
  • Microsoft Internet Explorer 10
  • Microsoft Internet Explorer 11
  • Mozilla Firefox ~34.0 - 40.0.3


Inherited Attributes:

applicable platform: Windows 10, Windows 7, Windows 7 SP1, Windows 8, Windows 8.1
References:
Date Malware Family URL
May 10, 2015 http://www.securitygalore.com/site3/vmd1-advisory