Article about thwarting virtual machine detection

Discussion in 'sandboxing & virtualization' started by MrBrian, Apr 16, 2008.

Thread Status:
Not open for further replies.
  1. MrBrian
    Offline

    MrBrian Registered Member

    The article 'On the Cutting Edge: Thwarting Virtual Machine Detection', found at http://handlers.sans.org/tliston/Thw...on_Skoudis.pdf, mentions on page 23 some undocumented VMware settings that reduce the ability of a program to detect that it's running in a virtual machine. Those of you who like to test malware in a virtual machine may find this information useful, since some malware changes its behavior when a virtual machine is detected. I haven't personally tested this yet.
  2. Meriadoc
    Offline

    Meriadoc Registered Member

    I briefly mentioned this once before, I think when talking about RkU VM detection. I use clean VM, you can clean the environment up somewhat of anything VMware software/hardware related.
  3. MrBrian
    Offline

    MrBrian Registered Member

    Can you elaborate on this please? Is this a script?
  4. Meriadoc
    Offline

    Meriadoc Registered Member

    References to VMWare - file & registry.
    Configuring services - vmx file.

  5. MrBrian
    Offline

    MrBrian Registered Member

    Thank you.
  6. MrBrian
    Offline

    MrBrian Registered Member

  7. Rasheed187
    Offline

    Rasheed187 Registered Member

    Hi,

    I will check it out, but won´t this break stuff inside VM? I believe that I´ve read something like this. Of course for the real hardcore malware testers out there, this could be a nice workaround, luckily most of my malware sample work just fine.

    But a couple of days ago I did download a malware sample (some fake video site trying to make you run some fake codec) and it terminates itself immediately. As a matter of fact, a lot of malware do this inside a sandbox (SafeSpace/SBIE) too. But I´m not sure if this is because they recognize the fact that they run sandboxed (making analyzing impossible), or because they notice they can´t do nothing anyway?
    Last edited: Apr 18, 2008
  8. MrBrian
    Offline

    MrBrian Registered Member

    According to the article p. 24, yes it will break things such as Shared Folders and VMware Tools. I haven't tried this myself yet, but I posted it because I thought it may be of use to others.
  9. lucas1985
    Offline

    lucas1985 Retired Moderator

    Both are highly likely. They may detect SBIE's driver/protection and so they shutdown quietly or they get tired of repeated failures.
Thread Status:
Not open for further replies.