Preventing Malware from Detecting VM

Discussion in 'sandboxing & virtualization' started by Vicenarian, Jun 1, 2010.

Thread Status:
Not open for further replies.
  1. Vicenarian

    Vicenarian Registered Member

    Joined:
    Feb 17, 2010
    Posts:
    7
    Hi. I was trying to practice some malware removal today by running malware samples inside a VM (Virtualbox) on an XP Pro guest OS (no antivirus, etc. installed).

    Anyway, after trying several strains of conficker, vundo/virtumonde, and virut, I can't seem to infect the VM! I mean, I know the software is running (some executables did say "not a valid win32 application", but the others didn't), because I can observe the rootkit portion of the malware hiding the executable after being run. BUT, process explorer, autoruns, etc. are not showing anything! I have ran like 6 different rootkit scanning tools, and I can find NOTHING, which leads me to believe the malware is sensing the presence of a VM and either terminating or just not working the way it should. And I think I'm being very thorough, checking and verifying all loaded drivers, svchost processes, etc.


    Is there any way around this? I mean, should I just switch virtualization platforms from virtualbox to VMware or something else? Is there any way around this? I don't want to start infecting real machines, because it takes way longer to restore them to default than it does reverting to a snapshot on a VM.

    Help a noob out here. :D
     
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    The subject is a very interesting one and cannot be answered adequately in a short forum response, you have quite a lot of reading ahead of you if you wish. It boils down to a number of well known and not so well known and also malware and vm specific methods but, is also an ever changing subject. Start reading some research papers by googling the subject.

    There are also other ways in looking at this than virtual machine, for example sandboxing, hardware or software recovery solutions.
     
    Last edited: Jun 1, 2010
  3. ratwing

    ratwing Guest

    This is really a fascinating thing for me,not because I do malware testing,but because I run two layers of Virtualization,
    and commit exes and files too my real system after scanning them in a virtual environment.(mostly static,but sometimes executed and scanned/observed,before committal.)
    I had no idea there were as many "virtualization aware" malware out there as this.


    rat
    :
     
  4. wat0114

    wat0114 Guest

    It probably did detect the presence of a VM and simply either refused to install or broke during the install. It's apparently quite common.

    Not a problem imo because if something you've launched in the vm behaves abnormally (eg: just seems to do nothing), then that should be an indicator of a suspicious file and probably not one you'd want to install on the real system.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  6. Vicenarian

    Vicenarian Registered Member

    Joined:
    Feb 17, 2010
    Posts:
    7
    Would it also be possible that not having the .NET Framework installed could cause this? I asked on another forum about this same issue, and somebody said I needed to have the .NET Framework installed for these viruses to function properly?
     
  7. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Dunno if this will work for a VM but you could try the HideDriver.sys utility within Buster Sandbox Analyzer.

    Go to the last post to download and if you decide to give it a go make sure you have a look through the readme.txt and PDF.

    I hid the three procesess for MS Virtual PC as a test using the hidedriver and they didn't show in Taskmanager. Don't really know if it can thwart VM aware malware as I haven't tested.

    Hide.JPG
     
  8. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hiding or removing is quite a logical start, some methods incorporate system timings for example. There's a lot of reading material, papers by researchers, av houses etc out there.
     
Loading...
Thread Status:
Not open for further replies.