Paper "Detecting & Defeating Split Personality Malware" and free anti-detection progs

Discussion in 'sandboxing & virtualization' started by MrBrian, Nov 27, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From hxxp://www.thinkmind.org/index.php?view=article&articleid=securware_2011_1_20_30092:
    From http://securityresearch.in/index.ph...-a-tool-to-counter-split-personality-malware/:
    Free software, including VMDetectGuard, is at http://securityresearch.in/index.php/downloads/. I haven't tried VMDetectGuard because I use VirtualBox.
     
  2. harshisthere

    harshisthere Registered Member

    Joined:
    Aug 8, 2011
    Posts:
    84
    how many viruses in this day switch off themselves when they find themselves in virutal machine.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    According to paper "Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware" from 2008, at least 4% behave differently.
     
  4. mag1c

    mag1c Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    37
    I want to start analyzing Malware, has anyone tried this tool?

    I think this tool can be Malware in itself.
     
  5. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    I ran it briefly today. Doesn't appear to be malware. I haven't taken it through its paces yet.
     
  6. SparrowG

    SparrowG Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    2
    Location:
    India
    Hmm.. And looking around the site, they seem to be a well meaning bunch of people trying to do something good. :)
    Read the intro at securityresearch.in
     
  7. mag1c

    mag1c Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    37
    The site and programs is malicious. I mean come on, it's from india.

    The guy above me 1st post. Obviously this program is malware. If not, than why don't they post the source code for this.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Closed source = malicious?
     
  9. SparrowG

    SparrowG Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    2
    Location:
    India
    Oh, there's no CIA in India. So, it's pretty unlikely there's some malware that you can't detect or that your hardware manufacturer hides by design. If we are going by the country where a piece of code is written and whether the code is closed source, we would end up calling Microsoft and Sony products as malware. :eek:

    Judge a software on it's merits and not on where it's written or whether the source is open.
     
  10. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Being the skeptic that I am I didn't play with this until I verified that its a legit tool. The paper was cited at some prominent tech and research conferences and universities:

    http://www.iaria.org/conferences2011/AwardsSECURWARE11.html
    http://coneco2009.com/ccseit/accepted.html
    http://isea.nitk.ac.in/isea/

    The version provided as per their site: securityresearch.in is not their newest. The msi file from this sourceforge link is however the most recent, supporting VirtualBox: sourceforge.net/p/vmdetect/vmdetect/

    I found it hard to acquire any software that had anti-vm execution capabilities so I used vmprotect to turn legit apps into ones that were vm resistant. So far they don't seem to run under VMDetectGuard. I look forward to what you guys say when testing it out. I tried to contact the author via email : kalpa . at . securityresearch.in ,but I got a bounceback message saying my message was rejected by the recipient domain.

    I think this is a pretty interesting tool. :thumb:
     
    Last edited: Dec 5, 2011
  11. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Don't you think this is a little too biased and prejudiced? If forum members had adopted this closed mentality we would have lost out on great pograms such as ShadowDefender by saying foolish things like "oh its from China and I don't trust the people there" etc.

    So what if it's closed source? you may be discounting the fact that the people who came up with it may want to restrict any additions to the program that isn't done by them.
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thank you Serapis :).

    The files to download from http://sourceforge.net/p/vmdetect/vmdetect/16/tree/ are VMDetectGuard.msi (55 MB) and either VirtualMachindeDetect_64Bit.rar or VirtualMachineDetect_32Bit.rar.

    The detection program seems to run properly in a VirtualBox Windows XP guest. I'm not sure if the guard program is working properly or not in a VirtualBox Windows XP guest (it's a long story).

    The detection program doesn't seem to run properly in a VirtualBox Windows 7 x64 guest. I'm not sure if the guard program is working properly or not in a VirtualBox Windows 7 x64 guest.

    Some other detection programs:
    http://www.trapkit.de/research/vmm/scoopyng/
    http://www.codeproject.com/KB/system/VmDetect.aspx
     
  13. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    If you don't mind, I'm curious as to what went wrong or why its not working properly. Maybe we can work out an approach to get it working. It'd help if we can get to the programmer and discuss this somehow.

    To save would be testers time and effort in finding samples to test with detectguard, there was a simple detector program for virtual environments I found that I'll link to. IMO its more practical than crypt0rs with anti-vm.

    http://rapidshare.com/files/205173053/VB.NET_-_Anti_Codes.rar
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    When I launch their VM detector program from the anti-detector program, the detector program still detects VirtualBox. However, if I run the generated (from the anti-detector GUI) batch file (can't remember its name but it starts with letter "v") separately, then the detector program doesn't detect VirtualBox. However, I noticed that when I run the detector from the batch file, there is a console window that opens very briefly, possibly with an error message, but it disappears too quickly to read. So I'm not sure if the result when running from the batch file is legitimate.

    Some other notes:
    1. It seems that the anti-detector program can handle programs with only one process; additional processes don't seem to launch. If someone contacts the programmer, maybe ask for confirmation.
    2. Programs run with the anti-detector program run much more slowly than normal.
    3. The anti-detector program creates a trace file that can get large rather quickly.

    If I can find a different detector program that detects VirtualBox, I'll test it. I didn't try the program you mentioned yet.
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I tried the detector program that Serapis mentioned. It still detected VirtualBox when launched from the anti-detection program. Maybe others can post their results with this detector program when run in VMware.
     
  16. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    I asked the author to join us in our discussion here. The email to reach them is: vmqueries gmail.com

    I'm currently testing both detectors in vmware player an will report the results soon.
     
  17. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Tested on xp sp3 vmware player. The results are the following:

    VMDetectGuard mistakedly thinks its running on a native machine. So attempting to run detection tools with the 'VMware as Native' gives an error that VMware was not detected.

    Running VMdetect both under DetectGuard and without gives the result of Native machine with maximum possibility. When running the separate exe for VM detect I get for VPC: 6% VBox: 8% and VMWare:58%

    So it seems to know which one its running on but it doesn't relay this info correctly.

    Now when running the other tool I linked to earlier, both under DetectGuard and without, it is able to detect VMware regardless.
     
  18. kalpa

    kalpa Registered Member

    Joined:
    Dec 15, 2011
    Posts:
    2
    Location:
    India
    Hi everyone,
    I am the author of the tool, VMDetectGuard. It is entrancing to know that so many of you have been taking interest in it. Though some are skeptic to even try it. :) Do not worry, this tool is 100% legitimate. This tool is still in the development stage and there are many more challenges yet to be surmounted. And I believe with the kind of feedback I see on this website we would be able to achieve them well. Please give us comments. Good/Bad all would be useful. Let's all fight malware together.

    In reply to mag1's comment: Indians are good people. May be not all, but most. Trust me. :) We do have the source code available on sourceforge.net. We will release it on our website at the earliest.
     
  19. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Country prejudice at its finest; in other words, racism.

    Get a life.

    Anyhow, this might be quite useful.
     
  20. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Welcome Kalpa, good to hear from you. Please keep us updated with any new releases and let us know about them in this thread. I look forward to trying your software.
     
  21. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Using a dedicated vm employing anti-vm techniques, some set aside as void over time, to patching malware has usually worked for me so it will be interesting to see what you bring with VMDetectGuard, thanks kalpa - how about other vms such as virtualbox?
     
    Last edited: Dec 17, 2011
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    See post #10.
     
  23. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Thanks MrBrian (Nota bene, read the thread!)
     
  24. NativizeVM

    NativizeVM Registered Member

    Joined:
    Dec 19, 2011
    Posts:
    16
    Location:
    India
    We at securityresearch.in have posted the source code of the first version of our tool VirtualMachineDetect in http://ge.tt/4oFYn5Y?ubiquitous_id=14.
     
  25. NativizeVM

    NativizeVM Registered Member

    Joined:
    Dec 19, 2011
    Posts:
    16
    Location:
    India
    The msi of the latest version is uploaded in securityresearch.in http://securityresearch.in/index.php/downloads/?ubiquitous_id=74. This supports VMware, VirtualBox and VirtualPC.
     
Thread Status:
Not open for further replies.