virtual machine detect & evade

From ema
Jump to navigation Jump to search
EMA ID: ema-1239
Description: Detects whether the malware instance is being executed in a virtual machine (VM).

Possible methods:

  • Guest Process Testing: Virtual machines offer guest additions that can be installed to add functionality such as clipboard sharing. Detecting the process, via its name or other methods, responsible for these tasks is a technique employed by malware for detecting whether it is being executed in a virtual machine.
  • HTML5 Performance Object: In three browser families, it is possible to extract the frequency of the Windows performance counter frequency, using standard HTML and Javascript. This value can then be used to detect whether the code is being executed in a virtual machine, by detecting two specific frequencies commonly used in virtual but not physical machines.
  • Named System Object Checks: Virtual machines often include specific named system objects by default, such as Windows device drivers, which can be detected by testing for specific strings, whether found in the Windows registry or other places.
  • Machine Specs: Different aspects of the hardware are inspected to determine whether the machine has standard, modern characteristics. Machines with substandard specs indicate a virtual environment:
    • Memory size: most modern machines have at leave 4 GB of memory.
    • Drive size: most modern machines have at least 80 GB disks.
    • USB drive: checks whether there is a potential USB drive; if not a virtual environment is suspected.
    • Printer: checks whether there is a potential connected printer or default Windows printers; if not a virtual environment is suspected.
    • CPU: checks number of processors; single CPU machines are suspect.
  • Human User Check: Detects whether there is any "user" activity on the machine, such as the movement of the mouse cursor, non-default wallpaper, or recently opened Office files. If there is no human activity, the machine is suspected to be a virtualized machine and/or sandbox.
  • x86 Instructions: The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.
    • SIDT (red pill): Red Pill is an anti-VM technique that executes the SIDT instruction to grab the value of the IDTR register. The virtual machine monitor must relocate the guest's IDTR to avoid conflict with the host's IDTR. Since the virtual machine monitor is not notified when the virtual machine runs the SIDT instruction, the IDTR for the virtual machine is returned.
    • SGDT/SLDT (no pill): The No Pill technique relies on the fact that the LDT structure is assigned to a processor not an Operating System. The LDT location on a host machine will be zero and on a virtual machine will be non-zero.
    • SMSW
    • STR
    • CPUID
    • IN
    • RDTSC
    • VPCEXT
  • Check CPU Location: When an Operating System is virtualized, the CPU is relocated. That allows a malware to detect the virtual environment.
  • Check for Memory Artifacts: VMware leaves many artifacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognizable footprints. Malware can search through physical memory for the strings VMware, commonly used to detect memory artifacts.
  • Mac Address Detection: VMware uses specific virtual Mac address that can be detected by Malware. The usual mac address used started with the following numbers: "00:0C:29", "00:1C:14", "00:50:56", "00:05:69". Virtualbox uses specific virtual Mac address that can be detected by Malware. The usual mac address used started with the following numbers: 08:00:27.
  • Registry Keys: The VMware installation directory C:\Program Files\VMware\VMware Tools may also contain artifacts, as can the registry. A search for VMware in the registry might find some keys that include information about the virtual hard drive, adapters, and virtual mouse. The Virtualbox Guest addition leaves many artifacts in the registry. A search for VBOX in the registry might find some keys. Qemu registers some artifacts into the registry. A malware can detect the Qemu installation with a look at the registry key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 with the value of Identifier and the data of QEMU or HARDWARE\Description\System with a value of SystemBiosVersion and data of QEMU.
  • Check Processes: The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. A malware can list the process and searches for the VMware string. Process related to Virtualbox can be detected by malware by query the process list.
  • Check Files: Some files are created by VMware on the system. Malware can check the different folder to find VMware artifacts. Some files are created by Virtualbox on the system. Malware can check the different folder to find Virtualbox artifacts like VBoxMouse.sys.
  • Check Running Services: VMwareService.exe runs the VMware Tools Service as a child of services.exe. It can be identified by listing services.
  • Query I/O Communication Port: VMware uses virtual I/O ports for communication between the virtual machine and the host operating system to support functionality like copy and paste between the two systems. The port can be queried and compared with a magic number VMXh to identify the use of VMware.
Associated Attributes: Anti-Behavioral Analysis: targeted VM, Common: applicable platform, Common: technique
Associated Capabilities/Subcapabilities: Capability.png Anti-Behavioral Analysis

Associated With virtual machine detect & evade
BehaviorInstance-Windows.png Guest Process Testing BehaviorInstance-Windows.png HTML5 Performance Object BehaviorInstance-Windows.png Named System Object Checks    
Date Malware Family URL
January 27, 2011 Rebhip
December 31, 1969 Arobot securityadvisor/virusinfo/virus.aspx?id= 37776