Signature detection of virtual machine detection code

Discussion in 'sandboxing & virtualization' started by MrBrian, Apr 16, 2008.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    A nontrivial portion of today's malware apparently includes code that detects the presence of virtual machines and changes behavior accordingly. Thus, it would seem that a good way to spot malware would be to detect virtual machine detection code via signature. Does anybody know of any software that detects the presence of virtual machine detection code? Preferably this signature detection would take place in code that is already active, after any packers, encrypters, etc have finished their task. I know of one thus far - SysAnalyzer (http://labs.idefense.com/software/malcode.php). Does anybody know of any other such software?
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Didn´t you already post this in some other section? But anyway, I think you should try some other more expert based forums. Or perhaps you can ask LUSHER. ;)
     
  3. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    PM sent.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Why send a PM? I don´t get this, you often do this LUSHER, instead of giving info via PM, why not share it via the forum? You´ll never know if it might be useful to someone. :rolleyes:
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I agree.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    To whom please? If to me, I did not receive.
     
  7. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    MrBrian,

    The simple answer is that it would be very complex to make a reliable scanner for VM code. Firstly scanning the suspended process for OP code patterns could be a nightmare as there are many ways of doing this task. For example here's one I use:

    bool IsInsideVMWare()
    {
    bool rc = true;

    __try
    {
    __asm
    {
    push edx
    push ecx
    push ebx

    mov eax, 'VMXh'
    mov ebx, 0 // any value but not the MAGIC VALUE
    mov ecx, 10 // get VMWare version
    mov edx, 'VX' // port number

    in eax, dx // read port
    // on return EAX returns the VERSION
    cmp ebx, 'VMXh' // is it a reply from VMWare?
    setz [rc] // set return value

    pop ebx
    pop ecx
    pop edx
    }
    }
    __except(EXCEPTION_EXECUTE_HANDLER)
    {
    rc = false;
    }

    return rc;
    }

    Now If I want to be a real pain I would simply use self modifying code for this function and it would be nearly impossible to determine what the code did using signatures. Don't get me wrong it's not impossible but doing a real-time trace on self modifying code is a complex procedure. Signature detection is not the best way but I'm sure there's other kernel mode hacks that can hide VMWare from user mode apps ;)

    ~interact
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thank you for your feedback, interact :). Wouldn't it be true though, that most malware uses VM detection code written by others? In other words, I'm suggesting that of existing malware that uses VM detection code, perhaps 80% of the malware population uses only 5 (or 10, 15, 20, whatever the number is) different code signatures to accomplish this task? I doubt that most malware authors are writing their own VM detection code, but I could be wrong on this too.

    You also mentioned that the VM detection code could be self-modifying, making signature detection harder. But isn't this an issue that anti-malware scanners already have to deal with, in general? Thanks again for your reply.
     
  9. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    MrBrian,

    The more experienced malware authors could take standard VM detection code and scramble it at the source level to create thousands of variants of the same code base and compile/link this into new code. I doubt very few of today's Viruses are self-modifying as the skills to write good polymorphic code has vanished thanks to the console generation and higher level languages :)

    ~interact
     
Loading...
Thread Status:
Not open for further replies.