Article about thwarting virtual machine detection

The article 'On the Cutting Edge: Thwarting Virtual Machine Detection', found at http://handlers.sans.org/tliston/Thw...on_Skoudis.pdf, mentions on page 23 some undocumented VMware settings that reduce the ability of a program to detect that it's running in a virtual machine. Those of you who like to test malware in a virtual machine may find this information useful, since some malware changes its behavior when a virtual machine is detected. I haven't personally tested this yet.

 

I briefly mentioned this once before, I think when talking about RkU VM detection. I use clean VM, you can clean the environment up somewhat of anything VMware software/hardware related.

 

Can you elaborate on this please? Is this a script?

 

References to VMWare - file & registry.
Configuring services - vmx file.

 

Thank you.

 

Here is a webpage called 'VM Hardening Guide' - http://honeyclient.org/trac/wiki/VMHardeningGuide#.

 

Hi,

I will check it out, but won´t this break stuff inside VM? I believe that I´ve read something like this. Of course for the real hardcore malware testers out there, this could be a nice workaround, luckily most of my malware sample work just fine.

But a couple of days ago I did download a malware sample (some fake video site trying to make you run some fake codec) and it terminates itself immediately. As a matter of fact, a lot of malware do this inside a sandbox (SafeSpace/SBIE) too. But I´m not sure if this is because they recognize the fact that they run sandboxed (making analyzing impossible), or because they notice they can´t do nothing anyway?

 

According to the article p. 24, yes it will break things such as Shared Folders and VMware Tools. I haven't tried this myself yet, but I posted it because I thought it may be of use to others.

 

Both are highly likely. They may detect SBIE's driver/protection and so they shutdown quietly or they get tired of repeated failures.