SlideShare a Scribd company logo

Emulate virtual machines to avoid malware infections - GrrCON 2014

Jordi Vázquez
Jordi Vázquez

A large amount of current malware uses various anti-virtual-machine techniques in order to avoid detection by analysis. These techniques allow the malware to detect the virtual machine which will then execute a benign action or simply do nothing. Many of these techniques are bases on finding specific files in the system or consulting some windows registry keys. The purpose of this research is to study the characteristics of the ORacle Virtual Box virtualized system and try to replicate the configuration on a physical computer, in order to trick malware into thinking it is in a virtual environment and thus not triggering its execution.

Technology
1 of 49
Download to read offline
Emulate VM environment to avoid malware infections Jordi Vazquez
2 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
3 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
4 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
5 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
6 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
7 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
8 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
9 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Who am I? Page 10 | GrrCON Hacker Conference | 16-17 Oct, 2014
11 1. Introduction / Motivation 2. Previous concepts 3. Virtual machine Detection 4. How malware detects VMs 5. Virtual machine emulation 6. Experimental results 7. Conclusions Agenda GrrCON Page | Hacker Conference | 16-17 Oct, 2014
12 1. Introduction GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Introduction Source: http://research.dissect.pe/docs/blackhat2012-presentation.pdf Page 13 | GrrCON Hacker Conference | 16-17 Oct, 2014
Introduction If malware tries to avoid Virtual machines… 14 ! Why not try to emulate these environments to avoid infections? GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Introduction The purposes 15 Study the characteristics of VirtualBox Specific drivers Registry keys Processes VirtualBox Guest Additions Files ! Know how the malware detects a virtual machine ! Try to replicate these configurations on a physical computer GrrCON Page | Hacker Conference | 16-17 Oct, 2014
16 2. Previous Concepts GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Previous Concepts What is Virtual Machine? Page 17 | GrrCON Hacker Conference | 16-17 Oct, 2014
Previous Concepts What is Cuckoo Sandbox? Automated malware analysis tool Open Source Project Written in Python Extensible Reporting system (memory dumps, registry access, API calls, screenshots, network activity) Page 18 | GrrCON Hacker Conference | 16-17 Oct, 2014
Previous Concepts What is Cuckoo Sandbox? (How It works) Page 19 | GrrCON Hacker Conference | 16-17 Oct, 2014
20 3. Virtual Machine Detection GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection Why? ! Malware researchers increasingly use virtual machine technology to analyze samples, since it offers many benefits: ! Multiple operating systems Ability to reset to a previous snapshot undoing changes made by malware Easily monitored Isolation ! Typical methods to detect a VME ! 1. Look for VME artifacts in processes, file system and registry 2. Look for VME specific virtual hardware 3. Look for VME specific processor capabilities Page 21 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - VMWare Artifacts in processes, system files and registry Page 22 | GrrCON Hacker Conference | 16-17 Oct, 2014 VMWare tools Some references in system files to “VMWare” Some references in the registry to “VMWare” Some drivers: vmmouse.sys vmhgfs.sys
Virtual Machine Detection - Virtual Box 23 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box 24 VS GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Specific files with VirtualBox Guest Additions System 32 Guest Additions Folder System32Drivers • VBoxDisp.dll • VBoxHook.dll • VBoxMRXNP.dll • VBoxOGLarrayspu.dll • VBoxOGLerrorspu.dll • VBoxOGLcrutil.dll • VBoxOGLerrorspu.dll • VBoxOGLfeedbackspu.dll • VBoxOGLpackspu.dll • VBoxoglpassthroughspu.dll • VBoxTray.exe • VBoxService.exe • VBoxControl.exe Page 25 | GrrCON Hacker Conference | 16-17 Oct, 2014 • VBoxDisp.dll • VBoxDrvInst.exe • VBoxVideo.inf • VBoxVideo.sys • VBoxControl.exe • VBoxGuest.sys • VBoxGuest.inf • VBoxMouse.sys • VBoxMouse.inf • VBoxTray.exe • VBoxWHQLFake.exe • DIFxAPI.dll • VBoxMouse.sys • VBoxGuest.sys • VBoxSF.sys • VBoxVideo.sys Virtual Machine Detection - Virtual Box
Specific files and processes with VirtualBox Guest Additions Installed DRVSTOREVBoxGuest_ED40339D75DAC80 DECCD6CCCDB8E202724F5321D Page 26 | GrrCON Hacker Conference | 16-17 Oct, 2014 DRVSTOREVBOXVideo_5C9060E4 72F2B1E3E9D5353B27AF6B8DABF99D47 Processes • VBoxControl.exe • VBoxGuest.cat • VBoxGuest.inf • VBoxGuest.sys • VBoxTray.exe • VBoxDisp.dll • VBoxVideo.inf • VBoxVideo.sys • VBoxVideo.cat • VboxService.exe Virtual Machine Detection - Virtual Box
Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSoftwareOracleVirtualBox Guest Additions InstallDir REG_SZ Guest Additions folder 27 Revision REG_SZ Revision number Version REG_SZ Version number VersionExt REG_SZ Version number HKLMHardwareDEVICEMAPScsiScsi Port 0ScSi Bus 0Target Id 0Logical Unit Id 0 Identifier REG_SZ VBOX HARDDISK HKLMHardwareDEVICEMAPScsiScsi Port 0ScSi Bus 0Target Id 1Logical Unit Id 0 Identifier REG_SZ VBOX CD-ROM HKLMHardwareDESCRIPTIONSystem SystemBiosVersion REG_MULTI_SZ VBOX -1 VideoBiosVersion REG_MULTI_SZ Oracle VM VirtualBox Version (version number) HKLMHardwareAcpiDSDTVBOX__VBOXBIOS 00000002 00000000 REG_BINARY DSDT......VBOX VBOXBIOS....INTL Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetServicesDiskEnum 0 REG_SZ IDE 28 DiskVBOX_HARDDISK________________ ___________1.0_____ 42566264366366323661362d32656239 39632031 HKLMSystemCurrentControlSetServicesVBoxGuest DisplayName REG_SZ VirtualBox Guest Driver ImagePath REG_EXPAND_SZ system32DRIVERSVBoxGuest.sys HKLMSystemCurrentControlSetServicesVBoxGuest Enum 0 REG_SZ PCI VEN_80EE&DEV_CAFE&SUBSYS_00000 000&REV_003&267a616a&0&20 HKLMSystemCurrentControlSetServicesVBoxMouse DisplayName REG_SZ VirtualBox Guest Mouse Service ImagePath REG_EXPAND_SZ system32DRIVERSVBoxMouse.sys HKLMSystemCurrentControlSetServicesVBoxMouse Enum 0 REG_SZ ACPIPNP0F034&1d401fb5&0 Specific registry keys *These keys are in ControlSet001, ControlSet002 and CurrentControlSet folders GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetEnumIde DiskVBOX_HARDDISK4256636463663 29 FriendlyName REG_SZ VBOX HARDDISK HKLMSystemCurrentControlSetEnumIde DiskVBOX_HARDDISK9257936463871 FriendlyName REG_SZ VBOX CD-ROM HKLMSystemCurrentControlSetServices VBoxService DisplayName REG_SZ VirtualBox Guest Aditions Service ImagePath REG_EXPAND_SZ system32VBoxService.exe Description REG_SZ Manages VM runtime information and utilities for guest operating systems. ObjectName REG_SZ LocalSystem HKLMSystemCurrentControlSetServices VBoxServiceEnum 0 REG_SZ RootLEGACY_VBOXSERVICE 0000 HKLMSystemCurrentControlSetServicesVBoxSF DisplayName REG_SZ VirtualBox Shared Folders ImagePath REG_EXPAND_SZ system32DRIVERSVBoxSF.sys Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetServices VBoxSFEnum 30 0 REG_SZ RootLEGACY_VBOXSF0000 HKLMSystemCurrentControlSetServices VBoxSFNetworkProvider DeviceName REG_SZ DeviceVboxMinRdr Name REG_SZ VirtualBox Shared Folder ProviderPath REG_SZ %Systemroot% System32VBoxMRXNP.dll HKLMSystemCurrentControlSetServices VBoxVideo ImagePath REG_EXPAND_SZ system32DRIVERSVBoxVideo.sys HKLMSystemCurrentControlSetServices VBoxVideoDevice0 InstalledDisplayDrivers REG_MULTI_SZ VBoxDisp HKLMSystemCurrentControlSetServices VBoxVideoEnum 0 REG_SZ PCI VEN_80EE&DEV_BEEF&SUBSYS_ 00000000&REV_003&267a616a& 0&10 HKLMSystemCurrentControlSetServices VBoxVideoVideo Service REG_SZ Vbox Video Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Specific registry keys Page 31 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Example Source: http://pastebin.com/RU6A2UuB Page 32 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Example <Demo> Source: http://pastebin.com/RU6A2UuB Page 33 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Themida Page 34 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Themida <Demo> Page 35 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Physical Machine Virtual Machine 36 Pafish GrrCON Page | Hacker Conference | 16-17 Oct, 2014
4. How malware detects Virtual Machines Page 37 | GrrCON Hacker Conference | 16-17 Oct, 2014
How malware detects Virtual Machines Trojan-spy.win32.Carberp Source: http://github.com/hzeroo/Carberp/blob/master/source - absource/pro/all source/BlackJoeWhiteJoe/Source Page 38 | GrrCON Hacker Conference | 16-17 Oct, 2014
How malware detects Virtual Machines Trojan-Dropper.Win32.Agent.dvyh Technical Details about Net-Worm.Win32.Kolab.wwh: https://www.securelist.com/en/descriptions/17168948/Trojan-Dropper.Win32.Agent.dvyh Page 39 | GrrCON Hacker Conference | 16-17 Oct, 2014
How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 40 | GrrCON Hacker Conference | 16-17 Oct, 2014
How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 41 | GrrCON Hacker Conference | 16-17 Oct, 2014
How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 42 | GrrCON Hacker Conference | 16-17 Oct, 2014
43 5. Virtual Machine emulation GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Conclusions Main findings and future lines of research Main findings It’s possible to simulate a virtual machine with a python script. We can avoid infections by unknown malware. ! ! Future lines of research Investigate more VM Solutions and Sandboxes. (VmWare, Sandboxie…) Try the script with more malware samples. Investigate possible side-effects in a real environment. Page 44 | GrrCON Hacker Conference | 16-17 Oct, 2014
Thank you! https://github.com/jordisk ! Jordi@jordivazquez.com @jordisk
https://github.! com/jordisk Jordi@jordivazquez.com @jordisk
https://github.! com/jordisk Jordi@jordivazquez.com @jordisk
https://github.! com/jordisk Jordi@jordivazquez.com @jordisk
Thank you! https://github.com/jordisk ! Jordi@jordivazquez.com @jordisk

Recommended

Docker Forensics
Docker ForensicsDocker Forensics
Docker Forensics
Joel Lathrop
 
Winning The Talent War
Winning The Talent WarWinning The Talent War
Winning The Talent War
John E. Smith
 
Step by step milad yussefabadi
Step by step milad yussefabadiStep by step milad yussefabadi
Step by step milad yussefabadi
miyussefab
 
Digital marketing for_business
Digital marketing for_businessDigital marketing for_business
Digital marketing for_business
Jim Chambers
 
Culture, the ultimate competitive advantage
Culture, the ultimate competitive advantageCulture, the ultimate competitive advantage
Culture, the ultimate competitive advantage
John E. Smith
 
Engagement, defined & explained
Engagement, defined & explainedEngagement, defined & explained
Engagement, defined & explained
John E. Smith
 
Спецприз Артем Громенюк
Спецприз Артем ГроменюкСпецприз Артем Громенюк
Спецприз Артем Громенюк
festivalnauki
 
The Engagement Effect Dig South
The Engagement Effect Dig SouthThe Engagement Effect Dig South
The Engagement Effect Dig South
John E. Smith
 

Recommended

Docker Forensics
Docker ForensicsDocker Forensics
Docker Forensics
Joel Lathrop
 
Winning The Talent War
Winning The Talent WarWinning The Talent War
Winning The Talent War
John E. Smith
 
Step by step milad yussefabadi
Step by step milad yussefabadiStep by step milad yussefabadi
Step by step milad yussefabadi
miyussefab
 
Digital marketing for_business
Digital marketing for_businessDigital marketing for_business
Digital marketing for_business
Jim Chambers
 
Culture, the ultimate competitive advantage
Culture, the ultimate competitive advantageCulture, the ultimate competitive advantage
Culture, the ultimate competitive advantage
John E. Smith
 
Engagement, defined & explained
Engagement, defined & explainedEngagement, defined & explained
Engagement, defined & explained
John E. Smith
 
Спецприз Артем Громенюк
Спецприз Артем ГроменюкСпецприз Артем Громенюк
Спецприз Артем Громенюк
festivalnauki
 
The Engagement Effect Dig South
The Engagement Effect Dig SouthThe Engagement Effect Dig South
The Engagement Effect Dig South
John E. Smith
 
Making Security Invisible
Making Security InvisibleMaking Security Invisible
Making Security Invisible
J On The Beach
 
Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?
msyukor
 
OpenStack Murano introduction
OpenStack Murano introductionOpenStack Murano introduction
OpenStack Murano introduction
Victor Zhang
 
Automated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerAutomated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracer
Kyungmin Lee
 
How to easy deploy app into any cloud
How to easy deploy app into any cloudHow to easy deploy app into any cloud
How to easy deploy app into any cloud
Ladislav Prskavec
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
 
Security in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie FrazelleSecurity in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie Frazelle
Paris Container Day
 
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian SkerrettIoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
Param Singh
 
Hacking the browser with puppeteer sharp .NET conf AR 2018
Hacking the browser with puppeteer sharp .NET conf AR 2018Hacking the browser with puppeteer sharp .NET conf AR 2018
Hacking the browser with puppeteer sharp .NET conf AR 2018
Darío Kondratiuk
 
GDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWSGDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWS
Ladislav Prskavec
 
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
AppDynamics
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
Cloud Native NoVA
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant
Ricardo Amaro
 
Hack any website
Hack any websiteHack any website
Hack any website
sunil kumar
 
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
Alexandre Borges
 
Learn how to build decentralized and serverless html5 applications with Embar...
Learn how to build decentralized and serverless html5 applications with Embar...Learn how to build decentralized and serverless html5 applications with Embar...
Learn how to build decentralized and serverless html5 applications with Embar...
Codemotion
 
Learn how to build decentralized and serverless html5 applications with embar...
Learn how to build decentralized and serverless html5 applications with embar...Learn how to build decentralized and serverless html5 applications with embar...
Learn how to build decentralized and serverless html5 applications with embar...
Alessandro Confetti
 
From Docker to Production - ZendCon 2016
From Docker to Production - ZendCon 2016From Docker to Production - ZendCon 2016
From Docker to Production - ZendCon 2016
Chris Tankersley
 
IAU workshop 2018 day one
IAU workshop 2018 day oneIAU workshop 2018 day one
IAU workshop 2018 day one
Walid Shaari
 
Software Define your Current Storage with Opensource
Software Define your Current Storage with OpensourceSoftware Define your Current Storage with Opensource
Software Define your Current Storage with Opensource
Antonio Romeo
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Zilliz
 

More Related Content

Similar to Emulate virtual machines to avoid malware infections - GrrCON 2014

Making Security Invisible
Making Security InvisibleMaking Security Invisible
Making Security Invisible
J On The Beach
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
 
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian SkerrettIoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
Param Singh
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant
Ricardo Amaro
 
Hack any website
Hack any websiteHack any website
Hack any website
sunil kumar
 
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
Alexandre Borges
 

Similar to Emulate virtual machines to avoid malware infections - GrrCON 2014 (20)

Making Security Invisible
Making Security InvisibleMaking Security Invisible
Making Security Invisible
 
Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?
 
OpenStack Murano introduction
OpenStack Murano introductionOpenStack Murano introduction
OpenStack Murano introduction
 
Automated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerAutomated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracer
 
How to easy deploy app into any cloud
How to easy deploy app into any cloudHow to easy deploy app into any cloud
How to easy deploy app into any cloud
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
Security in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie FrazelleSecurity in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie Frazelle
 
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian SkerrettIoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
 
Hacking the browser with puppeteer sharp .NET conf AR 2018
Hacking the browser with puppeteer sharp .NET conf AR 2018Hacking the browser with puppeteer sharp .NET conf AR 2018
Hacking the browser with puppeteer sharp .NET conf AR 2018
 
GDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWSGDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWS
 
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant
 
Hack any website
Hack any websiteHack any website
Hack any website
 
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
 
Learn how to build decentralized and serverless html5 applications with Embar...
Learn how to build decentralized and serverless html5 applications with Embar...Learn how to build decentralized and serverless html5 applications with Embar...
Learn how to build decentralized and serverless html5 applications with Embar...
 
Learn how to build decentralized and serverless html5 applications with embar...
Learn how to build decentralized and serverless html5 applications with embar...Learn how to build decentralized and serverless html5 applications with embar...
Learn how to build decentralized and serverless html5 applications with embar...
 
From Docker to Production - ZendCon 2016
From Docker to Production - ZendCon 2016From Docker to Production - ZendCon 2016
From Docker to Production - ZendCon 2016
 
IAU workshop 2018 day one
IAU workshop 2018 day oneIAU workshop 2018 day one
IAU workshop 2018 day one
 
Software Define your Current Storage with Opensource
Software Define your Current Storage with OpensourceSoftware Define your Current Storage with Opensource
Software Define your Current Storage with Opensource
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Emulate virtual machines to avoid malware infections - GrrCON 2014

  • 1. Emulate VM environment to avoid malware infections Jordi Vazquez
  • 2. 2 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 3. 3 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 4. 4 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 5. 5 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 6. 6 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 7. 7 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 8. 8 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 9. 9 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 10. Who am I? Page 10 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 11. 11 1. Introduction / Motivation 2. Previous concepts 3. Virtual machine Detection 4. How malware detects VMs 5. Virtual machine emulation 6. Experimental results 7. Conclusions Agenda GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 12. 12 1. Introduction GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 13. Introduction Source: http://research.dissect.pe/docs/blackhat2012-presentation.pdf Page 13 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 14. Introduction If malware tries to avoid Virtual machines… 14 ! Why not try to emulate these environments to avoid infections? GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 15. Introduction The purposes 15 Study the characteristics of VirtualBox Specific drivers Registry keys Processes VirtualBox Guest Additions Files ! Know how the malware detects a virtual machine ! Try to replicate these configurations on a physical computer GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 16. 16 2. Previous Concepts GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 17. Previous Concepts What is Virtual Machine? Page 17 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 18. Previous Concepts What is Cuckoo Sandbox? Automated malware analysis tool Open Source Project Written in Python Extensible Reporting system (memory dumps, registry access, API calls, screenshots, network activity) Page 18 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 19. Previous Concepts What is Cuckoo Sandbox? (How It works) Page 19 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 20. 20 3. Virtual Machine Detection GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 21. Virtual Machine Detection Why? ! Malware researchers increasingly use virtual machine technology to analyze samples, since it offers many benefits: ! Multiple operating systems Ability to reset to a previous snapshot undoing changes made by malware Easily monitored Isolation ! Typical methods to detect a VME ! 1. Look for VME artifacts in processes, file system and registry 2. Look for VME specific virtual hardware 3. Look for VME specific processor capabilities Page 21 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 22. Virtual Machine Detection - VMWare Artifacts in processes, system files and registry Page 22 | GrrCON Hacker Conference | 16-17 Oct, 2014 VMWare tools Some references in system files to “VMWare” Some references in the registry to “VMWare” Some drivers: vmmouse.sys vmhgfs.sys
  • 23. Virtual Machine Detection - Virtual Box 23 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 24. Virtual Machine Detection - Virtual Box 24 VS GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 25. Specific files with VirtualBox Guest Additions System 32 Guest Additions Folder System32Drivers • VBoxDisp.dll • VBoxHook.dll • VBoxMRXNP.dll • VBoxOGLarrayspu.dll • VBoxOGLerrorspu.dll • VBoxOGLcrutil.dll • VBoxOGLerrorspu.dll • VBoxOGLfeedbackspu.dll • VBoxOGLpackspu.dll • VBoxoglpassthroughspu.dll • VBoxTray.exe • VBoxService.exe • VBoxControl.exe Page 25 | GrrCON Hacker Conference | 16-17 Oct, 2014 • VBoxDisp.dll • VBoxDrvInst.exe • VBoxVideo.inf • VBoxVideo.sys • VBoxControl.exe • VBoxGuest.sys • VBoxGuest.inf • VBoxMouse.sys • VBoxMouse.inf • VBoxTray.exe • VBoxWHQLFake.exe • DIFxAPI.dll • VBoxMouse.sys • VBoxGuest.sys • VBoxSF.sys • VBoxVideo.sys Virtual Machine Detection - Virtual Box
  • 26. Specific files and processes with VirtualBox Guest Additions Installed DRVSTOREVBoxGuest_ED40339D75DAC80 DECCD6CCCDB8E202724F5321D Page 26 | GrrCON Hacker Conference | 16-17 Oct, 2014 DRVSTOREVBOXVideo_5C9060E4 72F2B1E3E9D5353B27AF6B8DABF99D47 Processes • VBoxControl.exe • VBoxGuest.cat • VBoxGuest.inf • VBoxGuest.sys • VBoxTray.exe • VBoxDisp.dll • VBoxVideo.inf • VBoxVideo.sys • VBoxVideo.cat • VboxService.exe Virtual Machine Detection - Virtual Box
  • 27. Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSoftwareOracleVirtualBox Guest Additions InstallDir REG_SZ Guest Additions folder 27 Revision REG_SZ Revision number Version REG_SZ Version number VersionExt REG_SZ Version number HKLMHardwareDEVICEMAPScsiScsi Port 0ScSi Bus 0Target Id 0Logical Unit Id 0 Identifier REG_SZ VBOX HARDDISK HKLMHardwareDEVICEMAPScsiScsi Port 0ScSi Bus 0Target Id 1Logical Unit Id 0 Identifier REG_SZ VBOX CD-ROM HKLMHardwareDESCRIPTIONSystem SystemBiosVersion REG_MULTI_SZ VBOX -1 VideoBiosVersion REG_MULTI_SZ Oracle VM VirtualBox Version (version number) HKLMHardwareAcpiDSDTVBOX__VBOXBIOS 00000002 00000000 REG_BINARY DSDT......VBOX VBOXBIOS....INTL Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 28. Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetServicesDiskEnum 0 REG_SZ IDE 28 DiskVBOX_HARDDISK________________ ___________1.0_____ 42566264366366323661362d32656239 39632031 HKLMSystemCurrentControlSetServicesVBoxGuest DisplayName REG_SZ VirtualBox Guest Driver ImagePath REG_EXPAND_SZ system32DRIVERSVBoxGuest.sys HKLMSystemCurrentControlSetServicesVBoxGuest Enum 0 REG_SZ PCI VEN_80EE&DEV_CAFE&SUBSYS_00000 000&REV_003&267a616a&0&20 HKLMSystemCurrentControlSetServicesVBoxMouse DisplayName REG_SZ VirtualBox Guest Mouse Service ImagePath REG_EXPAND_SZ system32DRIVERSVBoxMouse.sys HKLMSystemCurrentControlSetServicesVBoxMouse Enum 0 REG_SZ ACPIPNP0F034&1d401fb5&0 Specific registry keys *These keys are in ControlSet001, ControlSet002 and CurrentControlSet folders GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 29. Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetEnumIde DiskVBOX_HARDDISK4256636463663 29 FriendlyName REG_SZ VBOX HARDDISK HKLMSystemCurrentControlSetEnumIde DiskVBOX_HARDDISK9257936463871 FriendlyName REG_SZ VBOX CD-ROM HKLMSystemCurrentControlSetServices VBoxService DisplayName REG_SZ VirtualBox Guest Aditions Service ImagePath REG_EXPAND_SZ system32VBoxService.exe Description REG_SZ Manages VM runtime information and utilities for guest operating systems. ObjectName REG_SZ LocalSystem HKLMSystemCurrentControlSetServices VBoxServiceEnum 0 REG_SZ RootLEGACY_VBOXSERVICE 0000 HKLMSystemCurrentControlSetServicesVBoxSF DisplayName REG_SZ VirtualBox Shared Folders ImagePath REG_EXPAND_SZ system32DRIVERSVBoxSF.sys Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 30. Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetServices VBoxSFEnum 30 0 REG_SZ RootLEGACY_VBOXSF0000 HKLMSystemCurrentControlSetServices VBoxSFNetworkProvider DeviceName REG_SZ DeviceVboxMinRdr Name REG_SZ VirtualBox Shared Folder ProviderPath REG_SZ %Systemroot% System32VBoxMRXNP.dll HKLMSystemCurrentControlSetServices VBoxVideo ImagePath REG_EXPAND_SZ system32DRIVERSVBoxVideo.sys HKLMSystemCurrentControlSetServices VBoxVideoDevice0 InstalledDisplayDrivers REG_MULTI_SZ VBoxDisp HKLMSystemCurrentControlSetServices VBoxVideoEnum 0 REG_SZ PCI VEN_80EE&DEV_BEEF&SUBSYS_ 00000000&REV_003&267a616a& 0&10 HKLMSystemCurrentControlSetServices VBoxVideoVideo Service REG_SZ Vbox Video Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 31. Virtual Machine Detection - Virtual Box Specific registry keys Page 31 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 32. Virtual Machine Detection - Virtual Box Example Source: http://pastebin.com/RU6A2UuB Page 32 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 33. Virtual Machine Detection - Virtual Box Example <Demo> Source: http://pastebin.com/RU6A2UuB Page 33 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 34. Virtual Machine Detection - Virtual Box Themida Page 34 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 35. Virtual Machine Detection - Virtual Box Themida <Demo> Page 35 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 36. Virtual Machine Detection - Virtual Box Physical Machine Virtual Machine 36 Pafish GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 37. 4. How malware detects Virtual Machines Page 37 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 38. How malware detects Virtual Machines Trojan-spy.win32.Carberp Source: http://github.com/hzeroo/Carberp/blob/master/source - absource/pro/all source/BlackJoeWhiteJoe/Source Page 38 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 39. How malware detects Virtual Machines Trojan-Dropper.Win32.Agent.dvyh Technical Details about Net-Worm.Win32.Kolab.wwh: https://www.securelist.com/en/descriptions/17168948/Trojan-Dropper.Win32.Agent.dvyh Page 39 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 40. How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 40 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 41. How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 41 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 42. How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 42 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 43. 43 5. Virtual Machine emulation GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 44. Conclusions Main findings and future lines of research Main findings It’s possible to simulate a virtual machine with a python script. We can avoid infections by unknown malware. ! ! Future lines of research Investigate more VM Solutions and Sandboxes. (VmWare, Sandboxie…) Try the script with more malware samples. Investigate possible side-effects in a real environment. Page 44 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 45. Thank you! https://github.com/jordisk ! Jordi@jordivazquez.com @jordisk
  • 49. Thank you! https://github.com/jordisk ! Jordi@jordivazquez.com @jordisk