Kayaker
March 19th, 2007, 12:36
I was browsing around the Matrix to see if there was any new color of pill on the market ;-), and found a few interesting items.
It's bad enough having to deal with packers, encryption and antidebugging, the latest bugbear is of course Virtual Machine detection. If a malware detects say VMWare, it can simply decide not to run or to run in a modified fashion in order to hide its true nature. Even Themida is getting on that bandwagon.
The following 2 papers seem to be a nice overview of the current state of VM detection, and more interestingly the potential of hiding the fact that a malware is running within a virtual environment.
Thwarting Virtual Machine Detection
http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf
Attacks on Virtual Machine Emulators
http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf
In a somewhat related throw-malware-a-curve-ball story, here is an interesting looking automagic malware analyzer. It gives a summary of the behaviour of an executable after it is run under a "simulated" environment. The product isn't a virtual machine per se but,.. well I'm not sure how the heck it works really, but it would be fun to play with...
Sandbox Malware Analyzer
http://www.norman.com/microsites/malwareanalyzer/
Kayaker
It's bad enough having to deal with packers, encryption and antidebugging, the latest bugbear is of course Virtual Machine detection. If a malware detects say VMWare, it can simply decide not to run or to run in a modified fashion in order to hide its true nature. Even Themida is getting on that bandwagon.
The following 2 papers seem to be a nice overview of the current state of VM detection, and more interestingly the potential of hiding the fact that a malware is running within a virtual environment.
Thwarting Virtual Machine Detection
http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf
Attacks on Virtual Machine Emulators
http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf
In a somewhat related throw-malware-a-curve-ball story, here is an interesting looking automagic malware analyzer. It gives a summary of the behaviour of an executable after it is run under a "simulated" environment. The product isn't a virtual machine per se but,.. well I'm not sure how the heck it works really, but it would be fun to play with...
Sandbox Malware Analyzer
http://www.norman.com/microsites/malwareanalyzer/
Quote:
Norman SandBox is the core component of Norman SandBox Analyzer, this module is compatible with Windows functions such as Winsock, Kernel and MPR and also supports network and Internet functions like HTTP, FTP, SMTP, DNS, IRC, and P2P.In other words it is a fully simulated computer, isolated within the NSA application. The simulator uses full ROM BIOS capacities, simulated hardware, simulated hard drives, etc. This simulator emulates the entire bootstrap of a regular system at boot-time, starting by loading the operating system files and the command shell from the simulated drive. This drive will contain directories and files that are necessary parts of the system, conforming to system files on physical hard drives. The file to be analyzed is loaded into the simulated hard disk and will be started in the simulated environment. Inside the simulated environment the file may do whatever it wants. It can infect files. It can delete files. It can copy itself over networks. It can connect to an IRC server. It can send e-mails. It can set up listening ports. Every action it takes is being registered by the antivirus program, because it is effectively the emulator that does the actions based on the code in the file. No code is executed on the real CPU except for the antivirus emulator engine; even the hardware in the simulated PC is emulated. |
Kayaker
