Article about thwarting virtual machine detection

Discussion in 'sandboxing & virtualization' started by MrBrian, Apr 16, 2008.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The article 'On the Cutting Edge: Thwarting Virtual Machine Detection', found at http://handlers.sans.org/tliston/Thw...on_Skoudis.pdf, mentions on page 23 some undocumented VMware settings that reduce the ability of a program to detect that it's running in a virtual machine. Those of you who like to test malware in a virtual machine may find this information useful, since some malware changes its behavior when a virtual machine is detected. I haven't personally tested this yet.
     
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I briefly mentioned this once before, I think when talking about RkU VM detection. I use clean VM, you can clean the environment up somewhat of anything VMware software/hardware related.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Can you elaborate on this please? Is this a script?
     
  4. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    References to VMWare - file & registry.
    Configuring services - vmx file.

     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thank you.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,902
    Location:
    The Netherlands
    Hi,

    I will check it out, but won´t this break stuff inside VM? I believe that I´ve read something like this. Of course for the real hardcore malware testers out there, this could be a nice workaround, luckily most of my malware sample work just fine.

    But a couple of days ago I did download a malware sample (some fake video site trying to make you run some fake codec) and it terminates itself immediately. As a matter of fact, a lot of malware do this inside a sandbox (SafeSpace/SBIE) too. But I´m not sure if this is because they recognize the fact that they run sandboxed (making analyzing impossible), or because they notice they can´t do nothing anyway?
     
    Last edited: Apr 18, 2008
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    According to the article p. 24, yes it will break things such as Shared Folders and VMware Tools. I haven't tried this myself yet, but I posted it because I thought it may be of use to others.
     
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Both are highly likely. They may detect SBIE's driver/protection and so they shutdown quietly or they get tired of repeated failures.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.