Some interesting stuff, I hope this will be fixed in the newer generation virtual machines, because this is quite a serious problem of course. :shifty:

http://isc.sans.org/diary.php?storyid=1871&isc=c188674c1b170b29bb1345a6ef5d1417

This is interesting but would it really work, I wonder. ::)

-{ Quote: "Interestingly, two readers came up with the idea to develop a mechanism for configuring non-virtualized systems to look like virtual machine. By masking itself in this way, it could potentially fool malicious software into thinking that the environment is a virtual honeypot, effectively fooling it into refusing to run and thus helping to immune the system against certain infections. " }-

http://weblog.infoworld.com/virtualization/archives/2006/11/virtual_machine_1.html

-{ Quote: "Some interesting stuff, I hope this will be fixed in the newer generation virtual machines, because this is quite a serious problem of course. :shifty:

http://isc.sans.org/diary.php?storyid=1871&isc=c188674c1b170b29bb1345a6ef5d1417" }-

Why is it a serious problem?

That's why:

-{ Quote: "Virtual machine detection is a self-defensive property of many malware specimens. It is aimed at making it harder to examine the malicious program, because virtualization software, such as VMware, is a very popular tool among malware analysts. For instance, 3 out of 12 malware specimens recently captured in our honeypot refused to run in VMware. - InternetStormCenter (http://isc.sans.org/diary.php?storyid=1871&isc=c188674c1b170b29bb1345a6ef5d1417)" }-

Hello,
Very simple - you run a tool in virtual machine - if it refuses to cooperate, you never install it natively.
Mrk

Or just use a real test box, instead of a VM (obviously not your everyday machine)

-{ Quote: "That's why:" }-

Oh right, I forgot everyone here including Rasheed are
analysts. ::)

Good one DA, but of course I meant it´s bad news for the analysts, but even for us amateurs who like to fool around with malware sometimes. But according to the article, some malware will simply refuse to run, but what if apps can act like they are non malicious when run in a virtual machine, does this stuff exist yet? :blink:

This is another interesting article, I´m actually surprised that Sophos does not really have that much trust in Virtualization. Btw, the article is not accessible right now because of the earthquake probably. ::)

http://www.zdnetasia.com/news/security/0,39044215,61970587,00.htm

-{ Quote: "Good one DA, but of course I meant it´s bad news for the analysts, but even for us amateurs who like to fool around with malware sometimes. But according to the article, some malware will simply refuse to run, but what if apps can act like they are non malicious when run in a virtual machine, does this stuff exist yet? :blink:" }-I haven't seen one acting "non malicious" (rather, I've seen quite a bit simply not run at all). But it's very possible and I don't see any reason why malware authors wouldn't have thought about writing something like this.

-{ Quote: "I haven't seen one acting "non malicious" (rather, I've seen quite a bit simply not run at all). But it's very possible and I don't see any reason why malware authors wouldn't have thought about writing something like this." }-

Well, if you read the article, Sophos actually thinks that this malware might already exist. ::)

-{ Quote: "The Sydney-based Ducklin said "there have been bugs and problems" in virtualization programs that could allow malicious code to spillover from the virtual machine to the real machine--though, he admitted, these scenarios were rare.

Some malicious codes are intelligent enough to detect that a system is running in a simulated environment and is not an actual home computer, he said. "It can then go 'Aha! I'm either in a corporate server or a virus lab, and therefore I'm going to behave differently [than it would when it attacks home computers]," he added. " }-

An interesting (and bit technical) article. ;)

http://www.websense.com/securitylabs/blog/blog.php?BlogID=113

There are a few *1000's* bots (RBots etc) which don't run under virtual environment. Moreover, there are runtime packers and crypters which having this functionality included. Themida for instance.

See here: http://vil.nai.com/vil/content/v_139328.htm