A large amount of current malware uses various anti-virtual-machine techniques in order to avoid detection by analysis. These techniques allow the malware to detect the virtual machine which will then execute a benign action or simply do nothing. Many of these techniques are bases on finding specific files in the system or consulting some windows registry keys. The purpose of this research is to study the characteristics of the ORacle Virtual Box virtualized system and try to replicate the configuration on a physical computer, in order to trick malware into thinking it is in a virtual environment and thus not triggering its execution.
14. Introduction
If malware tries to avoid Virtual machines…
14
!
Why not try to emulate these environments
to avoid infections?
GrrCON Page | Hacker Conference | 16-17 Oct, 2014
15. Introduction
The purposes
15
Study the characteristics of VirtualBox
Specific drivers
Registry keys
Processes
VirtualBox Guest Additions Files
!
Know how the malware detects a virtual machine
!
Try to replicate these configurations on a physical
computer
GrrCON Page | Hacker Conference | 16-17 Oct, 2014
21. Virtual Machine Detection
Why?
!
Malware researchers increasingly use virtual machine technology to analyze
samples, since it offers many benefits:
!
Multiple operating systems
Ability to reset to a previous snapshot undoing changes made by malware
Easily monitored
Isolation
!
Typical methods to detect a VME
!
1. Look for VME artifacts in processes, file system and registry
2. Look for VME specific virtual hardware
3. Look for VME specific processor capabilities
Page 21
| GrrCON Hacker Conference | 16-17 Oct, 2014
22. Virtual Machine Detection - VMWare
Artifacts in processes, system files and registry
Page 22
| GrrCON Hacker Conference | 16-17 Oct, 2014
VMWare tools
Some references in system files to “VMWare”
Some references in the registry to “VMWare”
Some drivers:
vmmouse.sys
vmhgfs.sys
27. Virtual Machine Detection - Virtual Box
Folder Key Type Value
HKLMSoftwareOracleVirtualBox Guest Additions InstallDir REG_SZ Guest Additions folder
27
Revision REG_SZ Revision number
Version REG_SZ Version number
VersionExt REG_SZ Version number
HKLMHardwareDEVICEMAPScsiScsi Port 0ScSi
Bus 0Target Id 0Logical Unit Id 0
Identifier REG_SZ VBOX HARDDISK
HKLMHardwareDEVICEMAPScsiScsi Port 0ScSi
Bus 0Target Id 1Logical Unit Id 0
Identifier REG_SZ VBOX CD-ROM
HKLMHardwareDESCRIPTIONSystem SystemBiosVersion REG_MULTI_SZ VBOX -1
VideoBiosVersion REG_MULTI_SZ Oracle VM VirtualBox
Version (version number)
HKLMHardwareAcpiDSDTVBOX__VBOXBIOS
00000002
00000000 REG_BINARY DSDT......VBOX
VBOXBIOS....INTL
Specific registry keys
GrrCON Page | Hacker Conference | 16-17 Oct, 2014
28. Virtual Machine Detection - Virtual Box
Folder Key Type Value
HKLMSystemCurrentControlSetServicesDiskEnum 0 REG_SZ IDE
28
DiskVBOX_HARDDISK________________
___________1.0_____
42566264366366323661362d32656239
39632031
HKLMSystemCurrentControlSetServicesVBoxGuest DisplayName REG_SZ VirtualBox Guest Driver
ImagePath REG_EXPAND_SZ system32DRIVERSVBoxGuest.sys
HKLMSystemCurrentControlSetServicesVBoxGuest
Enum
0 REG_SZ PCI
VEN_80EE&DEV_CAFE&SUBSYS_00000
000&REV_003&267a616a&0&20
HKLMSystemCurrentControlSetServicesVBoxMouse DisplayName REG_SZ VirtualBox Guest Mouse Service
ImagePath REG_EXPAND_SZ system32DRIVERSVBoxMouse.sys
HKLMSystemCurrentControlSetServicesVBoxMouse
Enum
0 REG_SZ ACPIPNP0F034&1d401fb5&0
Specific registry keys
*These keys are in ControlSet001, ControlSet002 and CurrentControlSet folders
GrrCON Page | Hacker Conference | 16-17 Oct, 2014
29. Virtual Machine Detection - Virtual Box
Folder Key Type Value
HKLMSystemCurrentControlSetEnumIde
DiskVBOX_HARDDISK4256636463663
29
FriendlyName REG_SZ VBOX HARDDISK
HKLMSystemCurrentControlSetEnumIde
DiskVBOX_HARDDISK9257936463871
FriendlyName REG_SZ VBOX CD-ROM
HKLMSystemCurrentControlSetServices
VBoxService
DisplayName REG_SZ VirtualBox Guest Aditions Service
ImagePath REG_EXPAND_SZ system32VBoxService.exe
Description REG_SZ Manages VM runtime information
and utilities for guest operating
systems.
ObjectName REG_SZ LocalSystem
HKLMSystemCurrentControlSetServices
VBoxServiceEnum
0 REG_SZ RootLEGACY_VBOXSERVICE
0000
HKLMSystemCurrentControlSetServicesVBoxSF DisplayName REG_SZ VirtualBox Shared Folders
ImagePath REG_EXPAND_SZ system32DRIVERSVBoxSF.sys
Specific registry keys
GrrCON Page | Hacker Conference | 16-17 Oct, 2014
44. Conclusions
Main findings and future lines of research
Main findings
It’s possible to simulate a virtual machine with a python script.
We can avoid infections by unknown malware.
!
!
Future lines of research
Investigate more VM Solutions and Sandboxes. (VmWare, Sandboxie…)
Try the script with more malware samples.
Investigate possible side-effects in a real environment.
Page 44
| GrrCON Hacker Conference | 16-17 Oct, 2014