Categories

Malware Analysis

A Look at Malware with Virtual Machine Detection

It’s not uncommon for the malware of today to include some type of built-in virtual machine detection.

Virtual Machines (VMs) are an essential part of a malware analyst’s work environment. After all, we wouldn’t want to infect our physical–or “bare-metal” computers–to all the nasty things that malware can do. Instead, we can place the malware in a VM environment (VME) and easily “refresh” our VM after an infection as occurred.

Since malware writers are well aware of this, they often target virtual machines using various techniques. Some of these techniques are primitive or simplistic, and only read registry key values. However, there are other techniques that operate at the machine-language level, and are more difficult to detect.

Let’s observe a practical example. Below is code from an unpacked Dll Ransomware that looks for VM-related strings in your computer’s display device.

VME_detection(click to enlarge)

To make analysis easier, it would be very easy to patch this check and remove it. For a more permanent remedy, though, there are other options, to include uninstalling VMware Tools. I have already done this on my Sandbox VM. Below is the output of the same Ransomware when it checks my display

VME-notools

As an analyst, however, it will not always be so easy to determine if VM-detection is occurring. Hardening your VM can be a lengthy process, and can involve a lot of work. In some cases, you may need other tools for hiding processes, files, and registry keys that are created by your VM.

Lastly, if you use VMware, adding these options to your POWERED OFF .vmx file will be of great value if you perform malware analysis.

isolation.tools.getPtrLocation.disable = “TRUE”
isolation.tools.setPtrLocation.disable = “TRUE”
isolation.tools.setVersion.disable = “TRUE”
isolation.tools.getVersion.disable = “TRUE”
monitor_control.disable_directexec = “TRUE”
monitor_control.disable_chksimd = “TRUE”
monitor_control.disable_ntreloc = “TRUE”
monitor_control.disable_selfmod = “TRUE”
monitor_control.disable_reloc = “TRUE”
monitor_control.disable_btinout = “TRUE”
monitor_control.disable_btmemspace = “TRUE”
monitor_control.disable_btpriv = “TRUE”
monitor_control.disable_btseg = “TRUE”

These “undocumented” options are from a research paper done several years ago, but are still useful today in preventing some VM-detection techniques. Please note however, that this will break some VM functionality, as these options sever the communications channel between your host machine and guest VM.

_________________________________________________________________

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and malware analysis. Twitter: @joshcannell


3 thoughts on “A Look at Malware with Virtual Machine Detection

  1. tekk3y says on February 7, 2014 at 2:43 pm :

    So what can a piece of Malware do to a virtual machine or the actual PC if it knows that its inside of one?

  2. Joshua Cannell says on February 7, 2014 at 7:04 pm :

    It’s not so much what it can do, rather, it doesn’t want to do anything. Since average PC users don’t run their OS within a VM, it’s suspicious to be running in a virtual environment from the malware’s standpoint, as it drastically increases the likelihood that’s being analyzed and/or reverse engineered. This is something the malware’s creator wants to prevent.

  3. nullprocess says on February 10, 2014 at 10:29 pm :

    Very useful starter but it stops short. “In some cases, you may need other tools for hiding processes, files, and registry keys” – any hints please Joshua?

Leave a Reply

Subscribe to our YouTube Channel