Virtual machine detection is a self-defensive property of many malware specimens. It is aimed at making it harder to examine the malicious program, because virtualization software, such as VMware, is a very popular tool among malware analysts. For instance, 3 our of 12 malware specimens recently captured in our honeypot refused to run in VMware.
If you're surprised that commercial packers exist, don't be. Programmers often rely on packers to protect legitimate programs from reverse-engineering. Specifically, "Themida is very popular in China, because developers use it to protect mobile applications," according to one post on the ExeTools Forum. "They want maximum security to protect their sensitive communication between software + mobiles."
Themida is probably based on an earlier packer called Xtreme-Protector; both tools seem to have been written by the same author. The Xtreme-Protector website includes a whitepaper that outlines some of the anti-reversing features built into this program.
As a malware analyst, one way you can deal with packed executables that check for the presence of VMware is to patch the malicious code, so that the offending routine never executes. Another option is to modify your VMware instance to make it more dificult for the malicious program to detect that it's running in a virtual machine. Such VMware-concealing techniques are still relatively immature, but they were documented by Tom Liston and Ed Skoudis at a recent SANS conference. The sides for their presentation Thwarting Virtual Machine Detection are available on-line.
ISC Handler on Duty
Nov 19th 2006
1 decade ago