How Malware Detect Virtual Machines

Discussion in 'other security issues & news' started by Rasheed187, Nov 25, 2006.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    This is interesting but would it really work, I wonder. :rolleyes:

    http://weblog.infoworld.com/virtualization/archives/2006/11/virtual_machine_1.html
     
  3. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
  4. EsoxLucius

    EsoxLucius Registered Member

    Joined:
    Oct 27, 2006
    Posts:
    125
    Location:
    Bucharest, Romania
    That's why:

     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Hello,
    Very simple - you run a tool in virtual machine - if it refuses to cooperate, you never install it natively.
    Mrk
     
  6. GS2

    GS2 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    42
    Or just use a real test box, instead of a VM (obviously not your everyday machine)
     
  7. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Oh right, I forgot everyone here including Rasheed are
    analysts. :rolleyes:
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    Good one DA, but of course I meant it´s bad news for the analysts, but even for us amateurs who like to fool around with malware sometimes. But according to the article, some malware will simply refuse to run, but what if apps can act like they are non malicious when run in a virtual machine, does this stuff exist yet? :blink:
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
  10. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I haven't seen one acting "non malicious" (rather, I've seen quite a bit simply not run at all). But it's very possible and I don't see any reason why malware authors wouldn't have thought about writing something like this.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    Well, if you read the article, Sophos actually thinks that this malware might already exist. :rolleyes:

     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
  13. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    There are a few *1000's* bots (RBots etc) which don't run under virtual environment. Moreover, there are runtime packers and crypters which having this functionality included. Themida for instance.

    See here: http://vil.nai.com/vil/content/v_139328.htm
     
Loading...
Thread Status:
Not open for further replies.