How malware detects if it's running in a VM

Discussion in 'sandboxing & virtualization' started by tlu, Mar 11, 2014.

  1. tlu

    tlu Guest

    -http://www.heise.de/security/downloads/07/1/1/8/3/5/5/9/vmde.pdf

     
    Last edited by a moderator: Mar 11, 2014
  2. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs
    Hmmmm, just a cursory read makes it sound like malware authors target Sandboxie. I was under the assumption that Sandboxie is essentially impenetrable, but is ito_O
     
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
  4. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    1. No security solution is 100% impenetrable.
    2. The study talks about detecting the VM/sandbox presence, not about attacking one. This is important for malware in order to avoid analysis, but it is not related to VM/sandbox software being vulnerable.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From 2008 paper "Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware":
     
  6. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Malware usually can detect when its running in a sandbox, this is why when I read someone saying that the only time that they use Sandboxie is to run "suspicious files" (something that happens too often).....I shake my head left to right and go, "Oh man".

    Bo
     
  7. guest

    guest Guest

    AFAIK there are only a few malware which are smart enough to know if they are running in a virtualized environment. But I understand your point. Everything is suspicious. Heck, even Windows itself can be suspicious if it constantly uses 70% CPU usage for no apparent reason. :ninja:
     
  8. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Sandboxie motto is "Trust no program". To me, thats like a law but my point really is that it can not be assumed that a program or file is clean and can be trusted just because it don't do nothing when running under SBIE. I think people that uses Sandboxie to determine if a program or file that they consider suspicious can be trusted and can be run or installed out of the sandbox are gonna be burnt one day.

    Bo
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Symantec whitepaper "Threats to Virtual Environments" (2014):
    Paper download: hxxp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/threats_to_virtual_environments.pdf .
     
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Tzuk addressed this way back and basically said it was difficult to mask operation in Sandboxie. The same thing applies to VMs.

    And I quite agree that it's not sensible to test malware in Sandboxie.

    If anything, it's a mark of popularity that malware is now testing for Sandboxie as well as VMs. But my understanding was that this was detection, and used so that the malware would NOT attempt to do what it normally did.

    What the paper is very weak on, is any credible information on what would be big news, an actual attack on Sandboxie itself, or even worse, attacks on VMs (which, after all, run the majority of web services in data centers). Unless that can be demonstrated, this is not news.