Hackers abuse single bit change in Intel CPU register to evade detection

guest · Jul 22, 2021

Hackers abuse single bit change in Intel CPU register to evade detection
Palo Alto Networks discovers that Trap Flag is being abused to notify malware it is being analyzed
July 20, 2021
https://www.itpro.co.uk/security/ma...ange-in-intel-cpu-register-to-evade-detection

Security researchers have discovered a specific single bit (Trap Flag) in the Intel CPU register that malware can abuse to evade sandbox detection.

According to researchers at Palo Alto Networks’ Unit 42 threat research group, malware can detect whether it is executing in a physical or virtual machine (VM) by monitoring the response of the CPU after setting this single bit.
Click to expand...

Malware usually avoids detection by checking if it is being run in a virtualized “sandbox” environment set up to safely analyze potential malware. When the malware finds out it is executing in a virtual machine, it will terminate its execution or provide fake outputs to hide its real intentions.

In this instance, to detect VM use in a sandbox, malware could check the CPU’s behavior after enabling the trap flag.

“To determine whether a VM is used, malware can check whether the single-step exception was delivered to the correct CPU instruction, after executing specific instructions (e.g. CPUID, RDTSC, IN) that cause the VM to exit with the TF enabled. During VM exits, the hypervisor – also known as Virtual Machine Monitor (VMM) – will emulate the effects of the physical CPU it encounters,” said researchers.
Click to expand...

Researchers also said there was an ongoing cat-and-mouse game between malware authors crafting evasion techniques to prevent effective analysis and sandbox authors researching novel ways to defeat those evasions.
Click to expand...

Palo Alto Networks - Unit42: Evade Sandboxes With a Single Bit – the Trap Flag

Unit 42 has discovered a specific single bit (Trap Flag) in the Intel CPU register that can be abused by malware to evade sandbox detection in general purposes. Malware can detect whether it is executing in a physical or virtual machine (VM) by monitoring the response of the CPU after setting this single bit.

This blog documents how malware can detect the differences in CPU behaviors in a virtual or physical machine with only a single bit in the CPU register.
Click to expand...

Log in or Sign up

Hackers abuse single bit change in Intel CPU register to evade detection

guest Guest

Log in or Sign up

Hackers abuse single bit change in Intel CPU register to evade detection

guest Guest

Useful Searches