Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Virtual Machine Detection in Malware via Commercial Tools

Published: 2006-11-19
Last Updated: 2006-11-20 18:26:26 UTC
by Lenny Zeltser (Version: 2)
0 comment(s)
Virtual machine detection is a self-defensive property of many malware specimens. It is aimed at making it harder to examine the malicious program, because virtualization software, such as VMware, is a very popular tool among malware analysts. For instance, 3 out of 12 malware specimens recently captured in our honeypot refused to run in VMware.

There are many ways for malicious code to detect that it's running in VMware: looking at the presence of VMware-specific processes and hardware characteristics are some of the simpler ones. More reliable techniques rely on assembly-level code that behaves differently on a virtual machine than on a physical host. VMware-detecting features are sometimes built directly into the malicious program, and are sometimes added by a third-party packing utility. (A packer is a utility that modifies the original progral to conceal its strings, disable debuggers, detect VMware, and so on.)

We recently encountered a malicious program that was packed with a commercial packer called Themida. (Thanks for the heads up, Johannes!) This packer includes support for virtual machine detection, as you can see in the screen capture below:



If you're surprised that commercial packers exist, don't be. Programmers often rely on packers to protect legitimate programs from reverse-engineering. Specifically, "Themida is very popular in China, because developers use it to protect mobile applications," according to one post on the ExeTools Forum. "They want maximum security to protect their sensitive communication between software + mobiles."

Themida is probably based on an earlier packer called Xtreme-Protector; both tools seem to have been written by the same author. The Xtreme-Protector website includes a whitepaper that outlines some of the anti-reversing features built into this program.

As a malware analyst, one way you can deal with packed executables that check for the presence of VMware is to patch the malicious code, so that the offending routine never executes. Another option is to modify your VMware instance to make it more difficult for the malicious program to detect that it's running in a virtual machine. Such VMware-concealing  techniques are still relatively immature, but they were documented by Tom Liston and Ed Skoudis at a recent SANS conference. The sides for their presentation Thwarting Virtual Machine Detection are available on-line.

Update: We received notes from two ISC readers with the following idea (thanks Rob Payne and Royans!). Their suggestion was to develop a mechanism for configuring non-virtualized systems to look like virtual machines. This approach could fool malicious software into thinking that it's running in an analyst's environment, and it would refuse to run. This might be an effective way to immune your systems against certain infections, making it less useful for malware to check wither it's running within VMware. Anyone feels like writing such a VMware-emulating utility? The idea reminds me of the Deception Tookit, which encouraged its users to install its software on regular and honeypot systems to confuse attackers.

Lenny Zeltser
ISC Handler on Duty
www.zeltser.com
Keywords:
0 comment(s)
Diary Archives