Paper "Detecting & Defeating Split Personality Malware" and free anti-detection progs

Hi Separis,
First of all, I am not sure which VM detection tool have you tried. The earlier version of our detection tool called VMWareDetect only detects the presence of VMWare. The latest one is called VirtualMachineDetect. This tool additionally detects Virtual box and Virtual PC. Are you getting the above mentioned results with this tool?

 

Some other Virtual Machine Detecting Programs are.

Backdoor.Win32.SdBot.fmn

RedPill

Backdoor.Win32.SdBot.fmf

 

1. This was ture in the first release, but in the second version released we have taken care of this issue.

2. Yes, the program runs a bit slow compared to normal as the entire program is instrumented in order to mask the detection.

3. The trace file size depends on the program that you are instrumenting using the tool. The trace file contains all the calls made by the program.

It would be a lot helpful if you could run the latest versions uploaded in securityresearch.in and give us your feedbacks.

-- for securityresearch.in

 

Hello Kalpa, I used the most recent detection tool provided on sourceforge of VirtualMachineDetect

@NativizeVM please post these links on securityresearch.in as to save testers time from searching for anti-vm samples. Just be sure to write a disclaimer/ warning to keep noobs from infecting their machines.

 

Clicking on the sourceforge link gives this weird error now:

Just a heads up so you can check on the problem.

 

RkU, RDTSC

 

We are moving the entire project to a new repository. The new link will be shortly provided to all. Sorry for the inconvenience caused.

 

A new version of the tools "VirtualMachineDetect" and "VMDetectGuard" have been uploaded in securityresearch.in (downloads sections).

 

Thank you.

I tried version 2 in a VirtualBox 4.0.12 Windows XP virtual machine. VirtualBox was still detected with the virtual machine detector mentioned earlier in this thread when run with VMDetectGuard. VirtualMachineDetect didn't run correctly when run with VMDetectGuard.

 

The tool currently does not support hardware fingerprinting masking. So if the tool you have used detects the virtual machine using this method, it will not mask the detection. We will soon be including this feature also.

Based on the feedback received from several users we have made some corrections to both the tools and have uploaded the corrected versions in securityresearch.in. Now there is only one binary for both XP and Windows 7 unlike the previous release. Sorry for the inconvenience caused.

 

Thank you .

 

When selecting the binary for VMDetectGuard tool do not select the shortcut to the .exe file. Select the actual .exe file itself. The tool currently does not work with shortcut.

 

We have updated the link to the source file in securityresearch.in.

 

We request you to download and try out both the tools, and provide us with your valuable suggestions on how we can improve it.

If you face any issues we request you to send the log files to us as explained in readme.txt.

 

I tested the newest version today and have some feedback:

-The loading of a protected executable still takes a very long time
-I would appreciate a GUI addition of an alert when a split personality program is detected when running it under VirtualDetect Guard.
-VDG didn't prevent virtualbox detection when the tool I had linked to on the first page was tried.

 

NativizeVM,

Is it possible to have an option to not create the log file? I haven't tried the latest version, so please forgive me if this is inaccurate.

 

Thanks Serapis.
I will go through the link. As i mentioned before, our tool does not currently support Hardware Fingerprinting masking. So, if the tool you are using makes use of this method to detect VM our tool will not be able to mask it. We will be including this feature in future.

We removed the feature where it displays that "Split personality malware detected" because we cannot say with 100% (using our current methods) that the executable running is a malware. We are including more methods, and this will be included in the future releases.

 

Currently there is no such option. We have created this log file with the sole purpose to collect feedback from the users.

 

This tool you have mentioned here detects using hardwarefingerprinting method which is not supported by the tool yet.

 

Oh ok, I thought it was just your tool that used this technique

 

The previous release had issues with instrumenting 64 bit executable's. This issue has been resolved and the corrected version is uploaded in securityresearch.in.

 

We have included the option in our version 2.2.1 of VMDetectGuard. This is available for download in securityresearch.in

 

Thank you .

 

I am missing the point here. Now that you have released this tool VMDetectGuard, the bad guys can easily modify their malware to instead detecting the VM, they will try to detect your tool, no ?

 

VirtualMachineDetect V 2.1.1 (Beta) is out. More details can be found here. Your feed back is always welcome and can be provided in our forum.

We request you to try this and provide us with your valuable suggestions. Hope you are benefited by this. All the users are requested to provide your e-mail address while running the tool, so that we can contact you back for the improvement of the same.