Signature detection of virtual machine detection code

A nontrivial portion of today's malware apparently includes code that detects the presence of virtual machines and changes behavior accordingly. Thus, it would seem that a good way to spot malware would be to detect virtual machine detection code via signature. Does anybody know of any software that detects the presence of virtual machine detection code? Preferably this signature detection would take place in code that is already active, after any packers, encrypters, etc have finished their task. I know of one thus far - SysAnalyzer (http://labs.idefense.com/software/malcode.php). Does anybody know of any other such software?

 

Didn´t you already post this in some other section? But anyway, I think you should try some other more expert based forums. Or perhaps you can ask LUSHER.

 

PM sent.

 

Why send a PM? I don´t get this, you often do this LUSHER, instead of giving info via PM, why not share it via the forum? You´ll never know if it might be useful to someone.

 

I agree.

 

To whom please? If to me, I did not receive.

 

MrBrian,

The simple answer is that it would be very complex to make a reliable scanner for VM code. Firstly scanning the suspended process for OP code patterns could be a nightmare as there are many ways of doing this task. For example here's one I use:

bool IsInsideVMWare()
{
bool rc = true;

__try
{
__asm
{
push edx
push ecx
push ebx

mov eax, 'VMXh'
mov ebx, 0 // any value but not the MAGIC VALUE
mov ecx, 10 // get VMWare version
mov edx, 'VX' // port number

in eax, dx // read port
// on return EAX returns the VERSION
cmp ebx, 'VMXh' // is it a reply from VMWare?
setz [rc] // set return value

pop ebx
pop ecx
pop edx
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
rc = false;
}

return rc;
}

Now If I want to be a real pain I would simply use self modifying code for this function and it would be nearly impossible to determine what the code did using signatures. Don't get me wrong it's not impossible but doing a real-time trace on self modifying code is a complex procedure. Signature detection is not the best way but I'm sure there's other kernel mode hacks that can hide VMWare from user mode apps

~interact

 

Thank you for your feedback, interact . Wouldn't it be true though, that most malware uses VM detection code written by others? In other words, I'm suggesting that of existing malware that uses VM detection code, perhaps 80% of the malware population uses only 5 (or 10, 15, 20, whatever the number is) different code signatures to accomplish this task? I doubt that most malware authors are writing their own VM detection code, but I could be wrong on this too.

You also mentioned that the VM detection code could be self-modifying, making signature detection harder. But isn't this an issue that anti-malware scanners already have to deal with, in general? Thanks again for your reply.

 

MrBrian,

The more experienced malware authors could take standard VM detection code and scramble it at the source level to create thousands of variants of the same code base and compile/link this into new code. I doubt very few of today's Viruses are self-modifying as the skills to write good polymorphic code has vanished thanks to the console generation and higher level languages

~interact