Preventing Malware from Detecting VM

Hi. I was trying to practice some malware removal today by running malware samples inside a VM (Virtualbox) on an XP Pro guest OS (no antivirus, etc. installed).

Anyway, after trying several strains of conficker, vundo/virtumonde, and virut, I can't seem to infect the VM! I mean, I know the software is running (some executables did say "not a valid win32 application", but the others didn't), because I can observe the rootkit portion of the malware hiding the executable after being run. BUT, process explorer, autoruns, etc. are not showing anything! I have ran like 6 different rootkit scanning tools, and I can find NOTHING, which leads me to believe the malware is sensing the presence of a VM and either terminating or just not working the way it should. And I think I'm being very thorough, checking and verifying all loaded drivers, svchost processes, etc.


Is there any way around this? I mean, should I just switch virtualization platforms from virtualbox to VMware or something else? Is there any way around this? I don't want to start infecting real machines, because it takes way longer to restore them to default than it does reverting to a snapshot on a VM.

Help a noob out here.

 

The subject is a very interesting one and cannot be answered adequately in a short forum response, you have quite a lot of reading ahead of you if you wish. It boils down to a number of well known and not so well known and also malware and vm specific methods but, is also an ever changing subject. Start reading some research papers by googling the subject.

There are also other ways in looking at this than virtual machine, for example sandboxing, hardware or software recovery solutions.

 

This is really a fascinating thing for me,not because I do malware testing,but because I run two layers of Virtualization,
and commit exes and files too my real system after scanning them in a virtual environment.(mostly static,but sometimes executed and scanned/observed,before committal.)
I had no idea there were as many "virtualization aware" malware out there as this.


rat
:

 

It probably did detect the presence of a VM and simply either refused to install or broke during the install. It's apparently quite common.

Not a problem imo because if something you've launched in the vm behaves abnormally (eg: just seems to do nothing), then that should be an indicator of a suspicious file and probably not one you'd want to install on the real system.

 

Why it's best to test for possible malware in a real machine

 

Would it also be possible that not having the .NET Framework installed could cause this? I asked on another forum about this same issue, and somebody said I needed to have the .NET Framework installed for these viruses to function properly?

 

Dunno if this will work for a VM but you could try the HideDriver.sys utility within Buster Sandbox Analyzer.

Go to the last post to download and if you decide to give it a go make sure you have a look through the readme.txt and PDF.

I hid the three procesess for MS Virtual PC as a test using the hidedriver and they didn't show in Taskmanager. Don't really know if it can thwart VM aware malware as I haven't tested.

 

No way around it, and VMWare is the easiest to detect they provide an API.

http://kb.vmware.com/selfservice/mi...nguage=en_US&cmd=displayKC&externalId=1009458

 

Hiding or removing is quite a logical start, some methods incorporate system timings for example. There's a lot of reading material, papers by researchers, av houses etc out there.