How Malware Detect Virtual Machines

Some interesting stuff, I hope this will be fixed in the newer generation virtual machines, because this is quite a serious problem of course.

http://isc.sans.org/diary.php?storyid=1871&isc=c188674c1b170b29bb1345a6ef5d1417

 

This is interesting but would it really work, I wonder.

http://weblog.infoworld.com/virtualization/archives/2006/11/virtual_machine_1.html

 

Why is it a serious problem?

 

That's why:

 

Hello,
Very simple - you run a tool in virtual machine - if it refuses to cooperate, you never install it natively.
Mrk

 

Or just use a real test box, instead of a VM (obviously not your everyday machine)

 

Oh right, I forgot everyone here including Rasheed are
analysts.

 

Good one DA, but of course I meant it´s bad news for the analysts, but even for us amateurs who like to fool around with malware sometimes. But according to the article, some malware will simply refuse to run, but what if apps can act like they are non malicious when run in a virtual machine, does this stuff exist yet?

 

This is another interesting article, I´m actually surprised that Sophos does not really have that much trust in Virtualization. Btw, the article is not accessible right now because of the earthquake probably.

http://www.zdnetasia.com/news/security/0,39044215,61970587,00.htm

 

I haven't seen one acting "non malicious" (rather, I've seen quite a bit simply not run at all). But it's very possible and I don't see any reason why malware authors wouldn't have thought about writing something like this.

 

Well, if you read the article, Sophos actually thinks that this malware might already exist.

 

An interesting (and bit technical) article.

http://www.websense.com/securitylabs/blog/blog.php?BlogID=113

 

There are a few *1000's* bots (RBots etc) which don't run under virtual environment. Moreover, there are runtime packers and crypters which having this functionality included. Themida for instance.

See here: http://vil.nai.com/vil/content/v_139328.htm