Signature detection of virtual machine detection code

[Guest]

[MrBrian]

A nontrivial portion of today's malware apparently includes code that detects the presence of virtual machines and changes behavior accordingly. Thus, it would seem that a good way to spot malware would be to detect virtual machine detection code via signature. Does anybody know of any software that detects the presence of virtual machine detection code? Preferably this signature detection would take place in code that is already active, after any packers, encrypters, etc have finished their task. I know of one thus far - SysAnalyzer (http://labs.idefense.com/software/malcode.php). Does anybody know of any other such software?

[Info-Sec]

A nontrivial portion of today's malware apparently includes code that detects the presence of virtual machines and changes behavior accordingly. Thus, it would seem that a good way to spot malware would be to detect virtual machine detection code via signature. Does anybody know of any software that detects the presence of virtual machine detection code? Preferably this signature detection would take place in code that is already active, after any packers, encrypters, etc have finished their task. I know of one thus far - SysAnalyzer (http://labs.idefense.com/software/malcode.php). Does anybody know of any other such software?

What do you mean the malware changes its behavior?  It detects the virtual machine, and then what?  Its in a virtual machine, quite harmless.

[MrBrian]

What do you mean the malware changes its behavior? 

If the malware detects it's in a virtual machine, it might choose to not do anything malicious, in order to make things harder on malware researchers, those who test out iffy software in a virtual machine first, etc.

[Info-Sec]

If the malware detects it's in a virtual machine, it might choose to not do anything malicious, in order to make things harder on malware researchers, those who test out iffy software in a virtual machine first, etc.

Ah i see.  Well its hard to detect if it is in a virtual machine.  Well it depends on the virtualization software.  On VMware it is impossible to tell because it is a computer in an isolated part of the memory.  Other virtualization software it is possible.

[Melih]

you are right.
malware does have detection mechanisms for both emulators and certain vms. so that they behave themselves within those environments to avoid detection

Melih

[MrBrian]

Ah i see.  Well its hard to detect if it is in a virtual machine.  Well it depends on the virtualization software.  On VMware it is impossible to tell because it is a computer in an isolated part of the memory.  Other virtualization software it is possible.

You may wish to look at this topic - http://www.wilderssecurity.com/showthread.php?t=206462.  Also, see the paper 'Compatibility is Not Transparency: VMM Detection Myths and Realities' - http://www.usenix.org/event/hotos07/tech/full_papers/garfinkel/garfinkel_html/.  The paper's conclusion is "that preventing VMM detection in the face of a dedicated adversary is generally impractical."

[andyman35]

You may wish to look at this topic - http://www.wilderssecurity.com/showthread.php?t=206462.  Also, see the paper 'Compatibility is Not Transparency: VMM Detection Myths and Realities' - http://www.usenix.org/event/hotos07/tech/full_papers/garfinkel/garfinkel_html/.  The paper's conclusion is "that preventing VMM detection in the face of a dedicated adversary is generally impractical."

Interesting subject but surely the Blue Pill  hypervisor  concept shows that an undetectable VM is perhaps  achievable?

[MrBrian]

Interesting subject but surely the Blue Pill  hypervisor  concept shows that an undetectable VM is perhaps  achievable?

Here is a quote from a person involved with the Xen hypervisor about Blue Pill (Source - http://www.virtualization.info/2006/08/debunking-blue-pill-myth.html):

"Rutkowska claims to have create a 100% undetectable piece of malware."

"The basic idea behind her claim is that one could create a piece of malware that also was a Virtual Machine Monitor. If the VMM could take over the host Operating System (imagine if you could launch Xen on a running copy of Windows and instantly have the previous Windows system be a virtual machine), then it could potentially hide a virus from that virtual machine by remaining within the VMM."

"Having a VMM take over a host operating system would be very difficult. It's not outside of the realm of possibility but it would take a huge engineering effort."

"However, for this malware to be successful, it would not only need to be able to take over the host Operating System, but it would also need to prevent that operating system from being able to detect that it was now a virtual machine."

'While the former is at least possible (albeit tremendously difficult), the later is not possible which means that anti-malware software will always be able to detect this sort of attack."

[andyman35]

Here is a quote from a person involved with the Xen hypervisor about Blue Pill (Source - http://www.virtualization.info/2006/08/debunking-blue-pill-myth.html):

"Rutkowska claims to have create a 100% undetectable piece of malware."

"The basic idea behind her claim is that one could create a piece of malware that also was a Virtual Machine Monitor. If the VMM could take over the host Operating System (imagine if you could launch Xen on a running copy of Windows and instantly have the previous Windows system be a virtual machine), then it could potentially hide a virus from that virtual machine by remaining within the VMM."

"Having a VMM take over a host operating system would be very difficult. It's not outside of the realm of possibility but it would take a huge engineering effort."

"However, for this malware to be successful, it would not only need to be able to take over the host Operating System, but it would also need to prevent that operating system from being able to detect that it was now a virtual machine."

'While the former is at least possible (albeit tremendously difficult), the later is not possible which means that anti-malware software will always be able to detect this sort of attack."

It'd certainly be an extremely difficult task but I think the author's claim that it's impossible for true stealth is a personal opinion,nothing is impossible until such time that perfect,error free code exists.I'd not be so ready to dismiss Rutkowska out of hand,only time will tell if her concept is possible or not.

It's a shame that the challenge mentioned here seems to have broken down,but maybe we'll see a genuine testing of the concept sometime:

http://www.theregister.co.uk/2007/07/06/blue_pill_showdown/

Of course what this shows is the benefits to security of running within some form of VM system. After all if malware detects it's in a VM and doesn't act maliciously then the job of prevention has been achieved.

[MrBrian]

It's a shame that the challenge mentioned here seems to have broken down,but maybe we'll see a genuine testing of the concept sometime:

http://www.theregister.co.uk/2007/07/06/blue_pill_showdown/

I think asking for as much as $412,000 was a nice way to ensure that the challenge didn't take place.

[andyman35]

I think asking for as much as $412,000 was a nice way to ensure that the challenge didn't take place.

Nice work if you can get it though 

[Tags:]