SlideShare a Scribd company logo

Emulate virtual machines to avoid malware infections - GrrCON 2014

Jordi Vázquez
Jordi Vázquez

A large amount of current malware uses various anti-virtual-machine techniques in order to avoid detection by analysis. These techniques allow the malware to detect the virtual machine which will then execute a benign action or simply do nothing. Many of these techniques are bases on finding specific files in the system or consulting some windows registry keys. The purpose of this research is to study the characteristics of the ORacle Virtual Box virtualized system and try to replicate the configuration on a physical computer, in order to trick malware into thinking it is in a virtual environment and thus not triggering its execution.

Technology
1 of 49
Download to read offline
Emulate VM environment to avoid malware infections Jordi Vazquez
2 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
3 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
4 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
5 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
6 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
7 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
8 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
9 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Who am I? Page 10 | GrrCON Hacker Conference | 16-17 Oct, 2014
11 1. Introduction / Motivation 2. Previous concepts 3. Virtual machine Detection 4. How malware detects VMs 5. Virtual machine emulation 6. Experimental results 7. Conclusions Agenda GrrCON Page | Hacker Conference | 16-17 Oct, 2014
12 1. Introduction GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Introduction Source: http://research.dissect.pe/docs/blackhat2012-presentation.pdf Page 13 | GrrCON Hacker Conference | 16-17 Oct, 2014
Introduction If malware tries to avoid Virtual machines… 14 ! Why not try to emulate these environments to avoid infections? GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Introduction The purposes 15 Study the characteristics of VirtualBox Specific drivers Registry keys Processes VirtualBox Guest Additions Files ! Know how the malware detects a virtual machine ! Try to replicate these configurations on a physical computer GrrCON Page | Hacker Conference | 16-17 Oct, 2014
16 2. Previous Concepts GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Previous Concepts What is Virtual Machine? Page 17 | GrrCON Hacker Conference | 16-17 Oct, 2014
Previous Concepts What is Cuckoo Sandbox? Automated malware analysis tool Open Source Project Written in Python Extensible Reporting system (memory dumps, registry access, API calls, screenshots, network activity) Page 18 | GrrCON Hacker Conference | 16-17 Oct, 2014
Previous Concepts What is Cuckoo Sandbox? (How It works) Page 19 | GrrCON Hacker Conference | 16-17 Oct, 2014
20 3. Virtual Machine Detection GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection Why? ! Malware researchers increasingly use virtual machine technology to analyze samples, since it offers many benefits: ! Multiple operating systems Ability to reset to a previous snapshot undoing changes made by malware Easily monitored Isolation ! Typical methods to detect a VME ! 1. Look for VME artifacts in processes, file system and registry 2. Look for VME specific virtual hardware 3. Look for VME specific processor capabilities Page 21 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - VMWare Artifacts in processes, system files and registry Page 22 | GrrCON Hacker Conference | 16-17 Oct, 2014 VMWare tools Some references in system files to “VMWare” Some references in the registry to “VMWare” Some drivers: vmmouse.sys vmhgfs.sys
Virtual Machine Detection - Virtual Box 23 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box 24 VS GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Specific files with VirtualBox Guest Additions System 32 Guest Additions Folder System32Drivers • VBoxDisp.dll • VBoxHook.dll • VBoxMRXNP.dll • VBoxOGLarrayspu.dll • VBoxOGLerrorspu.dll • VBoxOGLcrutil.dll • VBoxOGLerrorspu.dll • VBoxOGLfeedbackspu.dll • VBoxOGLpackspu.dll • VBoxoglpassthroughspu.dll • VBoxTray.exe • VBoxService.exe • VBoxControl.exe Page 25 | GrrCON Hacker Conference | 16-17 Oct, 2014 • VBoxDisp.dll • VBoxDrvInst.exe • VBoxVideo.inf • VBoxVideo.sys • VBoxControl.exe • VBoxGuest.sys • VBoxGuest.inf • VBoxMouse.sys • VBoxMouse.inf • VBoxTray.exe • VBoxWHQLFake.exe • DIFxAPI.dll • VBoxMouse.sys • VBoxGuest.sys • VBoxSF.sys • VBoxVideo.sys Virtual Machine Detection - Virtual Box
Specific files and processes with VirtualBox Guest Additions Installed DRVSTOREVBoxGuest_ED40339D75DAC80 DECCD6CCCDB8E202724F5321D Page 26 | GrrCON Hacker Conference | 16-17 Oct, 2014 DRVSTOREVBOXVideo_5C9060E4 72F2B1E3E9D5353B27AF6B8DABF99D47 Processes • VBoxControl.exe • VBoxGuest.cat • VBoxGuest.inf • VBoxGuest.sys • VBoxTray.exe • VBoxDisp.dll • VBoxVideo.inf • VBoxVideo.sys • VBoxVideo.cat • VboxService.exe Virtual Machine Detection - Virtual Box
Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSoftwareOracleVirtualBox Guest Additions InstallDir REG_SZ Guest Additions folder 27 Revision REG_SZ Revision number Version REG_SZ Version number VersionExt REG_SZ Version number HKLMHardwareDEVICEMAPScsiScsi Port 0ScSi Bus 0Target Id 0Logical Unit Id 0 Identifier REG_SZ VBOX HARDDISK HKLMHardwareDEVICEMAPScsiScsi Port 0ScSi Bus 0Target Id 1Logical Unit Id 0 Identifier REG_SZ VBOX CD-ROM HKLMHardwareDESCRIPTIONSystem SystemBiosVersion REG_MULTI_SZ VBOX -1 VideoBiosVersion REG_MULTI_SZ Oracle VM VirtualBox Version (version number) HKLMHardwareAcpiDSDTVBOX__VBOXBIOS 00000002 00000000 REG_BINARY DSDT......VBOX VBOXBIOS....INTL Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetServicesDiskEnum 0 REG_SZ IDE 28 DiskVBOX_HARDDISK________________ ___________1.0_____ 42566264366366323661362d32656239 39632031 HKLMSystemCurrentControlSetServicesVBoxGuest DisplayName REG_SZ VirtualBox Guest Driver ImagePath REG_EXPAND_SZ system32DRIVERSVBoxGuest.sys HKLMSystemCurrentControlSetServicesVBoxGuest Enum 0 REG_SZ PCI VEN_80EE&DEV_CAFE&SUBSYS_00000 000&REV_003&267a616a&0&20 HKLMSystemCurrentControlSetServicesVBoxMouse DisplayName REG_SZ VirtualBox Guest Mouse Service ImagePath REG_EXPAND_SZ system32DRIVERSVBoxMouse.sys HKLMSystemCurrentControlSetServicesVBoxMouse Enum 0 REG_SZ ACPIPNP0F034&1d401fb5&0 Specific registry keys *These keys are in ControlSet001, ControlSet002 and CurrentControlSet folders GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetEnumIde DiskVBOX_HARDDISK4256636463663 29 FriendlyName REG_SZ VBOX HARDDISK HKLMSystemCurrentControlSetEnumIde DiskVBOX_HARDDISK9257936463871 FriendlyName REG_SZ VBOX CD-ROM HKLMSystemCurrentControlSetServices VBoxService DisplayName REG_SZ VirtualBox Guest Aditions Service ImagePath REG_EXPAND_SZ system32VBoxService.exe Description REG_SZ Manages VM runtime information and utilities for guest operating systems. ObjectName REG_SZ LocalSystem HKLMSystemCurrentControlSetServices VBoxServiceEnum 0 REG_SZ RootLEGACY_VBOXSERVICE 0000 HKLMSystemCurrentControlSetServicesVBoxSF DisplayName REG_SZ VirtualBox Shared Folders ImagePath REG_EXPAND_SZ system32DRIVERSVBoxSF.sys Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetServices VBoxSFEnum 30 0 REG_SZ RootLEGACY_VBOXSF0000 HKLMSystemCurrentControlSetServices VBoxSFNetworkProvider DeviceName REG_SZ DeviceVboxMinRdr Name REG_SZ VirtualBox Shared Folder ProviderPath REG_SZ %Systemroot% System32VBoxMRXNP.dll HKLMSystemCurrentControlSetServices VBoxVideo ImagePath REG_EXPAND_SZ system32DRIVERSVBoxVideo.sys HKLMSystemCurrentControlSetServices VBoxVideoDevice0 InstalledDisplayDrivers REG_MULTI_SZ VBoxDisp HKLMSystemCurrentControlSetServices VBoxVideoEnum 0 REG_SZ PCI VEN_80EE&DEV_BEEF&SUBSYS_ 00000000&REV_003&267a616a& 0&10 HKLMSystemCurrentControlSetServices VBoxVideoVideo Service REG_SZ Vbox Video Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Specific registry keys Page 31 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Example Source: http://pastebin.com/RU6A2UuB Page 32 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Example <Demo> Source: http://pastebin.com/RU6A2UuB Page 33 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Themida Page 34 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Themida <Demo> Page 35 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Physical Machine Virtual Machine 36 Pafish GrrCON Page | Hacker Conference | 16-17 Oct, 2014
4. How malware detects Virtual Machines Page 37 | GrrCON Hacker Conference | 16-17 Oct, 2014
How malware detects Virtual Machines Trojan-spy.win32.Carberp Source: http://github.com/hzeroo/Carberp/blob/master/source - absource/pro/all source/BlackJoeWhiteJoe/Source Page 38 | GrrCON Hacker Conference | 16-17 Oct, 2014
How malware detects Virtual Machines Trojan-Dropper.Win32.Agent.dvyh Technical Details about Net-Worm.Win32.Kolab.wwh: https://www.securelist.com/en/descriptions/17168948/Trojan-Dropper.Win32.Agent.dvyh Page 39 | GrrCON Hacker Conference | 16-17 Oct, 2014
How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 40 | GrrCON Hacker Conference | 16-17 Oct, 2014
How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 41 | GrrCON Hacker Conference | 16-17 Oct, 2014
How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 42 | GrrCON Hacker Conference | 16-17 Oct, 2014
43 5. Virtual Machine emulation GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Conclusions Main findings and future lines of research Main findings It’s possible to simulate a virtual machine with a python script. We can avoid infections by unknown malware. ! ! Future lines of research Investigate more VM Solutions and Sandboxes. (VmWare, Sandboxie…) Try the script with more malware samples. Investigate possible side-effects in a real environment. Page 44 | GrrCON Hacker Conference | 16-17 Oct, 2014
Thank you! https://github.com/jordisk ! Jordi@jordivazquez.com @jordisk
https://github.! com/jordisk Jordi@jordivazquez.com @jordisk
https://github.! com/jordisk Jordi@jordivazquez.com @jordisk
https://github.! com/jordisk Jordi@jordivazquez.com @jordisk
Thank you! https://github.com/jordisk ! Jordi@jordivazquez.com @jordisk

Recommended

Docker Forensics
Docker ForensicsDocker Forensics
Docker Forensics
Joel Lathrop
 
Winning The Talent War
Winning The Talent WarWinning The Talent War
Winning The Talent War
John E. Smith
 
Step by step milad yussefabadi
Step by step milad yussefabadiStep by step milad yussefabadi
Step by step milad yussefabadi
miyussefab
 
Digital marketing for_business
Digital marketing for_businessDigital marketing for_business
Digital marketing for_business
Jim Chambers
 
Culture, the ultimate competitive advantage
Culture, the ultimate competitive advantageCulture, the ultimate competitive advantage
Culture, the ultimate competitive advantage
John E. Smith
 
Engagement, defined & explained
Engagement, defined & explainedEngagement, defined & explained
Engagement, defined & explained
John E. Smith
 
Спецприз Артем Громенюк
Спецприз Артем ГроменюкСпецприз Артем Громенюк
Спецприз Артем Громенюк
festivalnauki
 
The Engagement Effect Dig South
The Engagement Effect Dig SouthThe Engagement Effect Dig South
The Engagement Effect Dig South
John E. Smith
 

Recommended

Docker Forensics
Docker ForensicsDocker Forensics
Docker Forensics
Joel Lathrop
 
Winning The Talent War
Winning The Talent WarWinning The Talent War
Winning The Talent War
John E. Smith
 
Step by step milad yussefabadi
Step by step milad yussefabadiStep by step milad yussefabadi
Step by step milad yussefabadi
miyussefab
 
Digital marketing for_business
Digital marketing for_businessDigital marketing for_business
Digital marketing for_business
Jim Chambers
 
Culture, the ultimate competitive advantage
Culture, the ultimate competitive advantageCulture, the ultimate competitive advantage
Culture, the ultimate competitive advantage
John E. Smith
 
Engagement, defined & explained
Engagement, defined & explainedEngagement, defined & explained
Engagement, defined & explained
John E. Smith
 
Спецприз Артем Громенюк
Спецприз Артем ГроменюкСпецприз Артем Громенюк
Спецприз Артем Громенюк
festivalnauki
 
The Engagement Effect Dig South
The Engagement Effect Dig SouthThe Engagement Effect Dig South
The Engagement Effect Dig South
John E. Smith
 
Making Security Invisible
Making Security InvisibleMaking Security Invisible
Making Security Invisible
J On The Beach
 
Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?
msyukor
 
OpenStack Murano introduction
OpenStack Murano introductionOpenStack Murano introduction
OpenStack Murano introduction
Victor Zhang
 
Automated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerAutomated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracer
Kyungmin Lee
 
How to easy deploy app into any cloud
How to easy deploy app into any cloudHow to easy deploy app into any cloud
How to easy deploy app into any cloud
Ladislav Prskavec
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
 
Security in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie FrazelleSecurity in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie Frazelle
Paris Container Day
 
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian SkerrettIoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
Param Singh
 
Hacking the browser with puppeteer sharp .NET conf AR 2018
Hacking the browser with puppeteer sharp .NET conf AR 2018Hacking the browser with puppeteer sharp .NET conf AR 2018
Hacking the browser with puppeteer sharp .NET conf AR 2018
Darío Kondratiuk
 
GDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWSGDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWS
Ladislav Prskavec
 
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
AppDynamics
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
Cloud Native NoVA
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant
Ricardo Amaro
 
Hack any website
Hack any websiteHack any website
Hack any website
sunil kumar
 
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
Alexandre Borges
 
Learn how to build decentralized and serverless html5 applications with embar...
Learn how to build decentralized and serverless html5 applications with embar...Learn how to build decentralized and serverless html5 applications with embar...
Learn how to build decentralized and serverless html5 applications with embar...
Alessandro Confetti
 
Learn how to build decentralized and serverless html5 applications with Embar...
Learn how to build decentralized and serverless html5 applications with Embar...Learn how to build decentralized and serverless html5 applications with Embar...
Learn how to build decentralized and serverless html5 applications with Embar...
Codemotion
 
From Docker to Production - ZendCon 2016
From Docker to Production - ZendCon 2016From Docker to Production - ZendCon 2016
From Docker to Production - ZendCon 2016
Chris Tankersley
 
IAU workshop 2018 day one
IAU workshop 2018 day oneIAU workshop 2018 day one
IAU workshop 2018 day one
Walid Shaari
 
Software Define your Current Storage with Opensource
Software Define your Current Storage with OpensourceSoftware Define your Current Storage with Opensource
Software Define your Current Storage with Opensource
Antonio Romeo
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 

More Related Content

Similar to Emulate virtual machines to avoid malware infections - GrrCON 2014

Making Security Invisible
Making Security InvisibleMaking Security Invisible
Making Security Invisible
J On The Beach
 
Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?
msyukor
 
OpenStack Murano introduction
OpenStack Murano introductionOpenStack Murano introduction
OpenStack Murano introduction
Victor Zhang
 
Automated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerAutomated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracer
Kyungmin Lee
 
How to easy deploy app into any cloud
How to easy deploy app into any cloudHow to easy deploy app into any cloud
How to easy deploy app into any cloud
Ladislav Prskavec
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
 
Security in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie FrazelleSecurity in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie Frazelle
Paris Container Day
 
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian SkerrettIoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
Param Singh
 
Hacking the browser with puppeteer sharp .NET conf AR 2018
Hacking the browser with puppeteer sharp .NET conf AR 2018Hacking the browser with puppeteer sharp .NET conf AR 2018
Hacking the browser with puppeteer sharp .NET conf AR 2018
Darío Kondratiuk
 
GDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWSGDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWS
Ladislav Prskavec
 
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
AppDynamics
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
Cloud Native NoVA
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant
Ricardo Amaro
 
Hack any website
Hack any websiteHack any website
Hack any website
sunil kumar
 
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
Alexandre Borges
 
Learn how to build decentralized and serverless html5 applications with embar...
Learn how to build decentralized and serverless html5 applications with embar...Learn how to build decentralized and serverless html5 applications with embar...
Learn how to build decentralized and serverless html5 applications with embar...
Alessandro Confetti
 
Learn how to build decentralized and serverless html5 applications with Embar...
Learn how to build decentralized and serverless html5 applications with Embar...Learn how to build decentralized and serverless html5 applications with Embar...
Learn how to build decentralized and serverless html5 applications with Embar...
Codemotion
 
From Docker to Production - ZendCon 2016
From Docker to Production - ZendCon 2016From Docker to Production - ZendCon 2016
From Docker to Production - ZendCon 2016
Chris Tankersley
 
IAU workshop 2018 day one
IAU workshop 2018 day oneIAU workshop 2018 day one
IAU workshop 2018 day one
Walid Shaari
 
Software Define your Current Storage with Opensource
Software Define your Current Storage with OpensourceSoftware Define your Current Storage with Opensource
Software Define your Current Storage with Opensource
Antonio Romeo
 

Similar to Emulate virtual machines to avoid malware infections - GrrCON 2014 (20)

Making Security Invisible
Making Security InvisibleMaking Security Invisible
Making Security Invisible
 
Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?
 
OpenStack Murano introduction
OpenStack Murano introductionOpenStack Murano introduction
OpenStack Murano introduction
 
Automated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerAutomated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracer
 
How to easy deploy app into any cloud
How to easy deploy app into any cloudHow to easy deploy app into any cloud
How to easy deploy app into any cloud
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
Security in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie FrazelleSecurity in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie Frazelle
 
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian SkerrettIoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
 
Hacking the browser with puppeteer sharp .NET conf AR 2018
Hacking the browser with puppeteer sharp .NET conf AR 2018Hacking the browser with puppeteer sharp .NET conf AR 2018
Hacking the browser with puppeteer sharp .NET conf AR 2018
 
GDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWSGDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWS
 
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant
 
Hack any website
Hack any websiteHack any website
Hack any website
 
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
 
Learn how to build decentralized and serverless html5 applications with embar...
Learn how to build decentralized and serverless html5 applications with embar...Learn how to build decentralized and serverless html5 applications with embar...
Learn how to build decentralized and serverless html5 applications with embar...
 
Learn how to build decentralized and serverless html5 applications with Embar...
Learn how to build decentralized and serverless html5 applications with Embar...Learn how to build decentralized and serverless html5 applications with Embar...
Learn how to build decentralized and serverless html5 applications with Embar...
 
From Docker to Production - ZendCon 2016
From Docker to Production - ZendCon 2016From Docker to Production - ZendCon 2016
From Docker to Production - ZendCon 2016
 
IAU workshop 2018 day one
IAU workshop 2018 day oneIAU workshop 2018 day one
IAU workshop 2018 day one
 
Software Define your Current Storage with Opensource
Software Define your Current Storage with OpensourceSoftware Define your Current Storage with Opensource
Software Define your Current Storage with Opensource
 

Recently uploaded

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 

Recently uploaded (20)

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 

Emulate virtual machines to avoid malware infections - GrrCON 2014

  • 1. Emulate VM environment to avoid malware infections Jordi Vazquez
  • 2. 2 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 3. 3 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 4. 4 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 5. 5 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 6. 6 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 7. 7 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 8. 8 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 9. 9 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 10. Who am I? Page 10 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 11. 11 1. Introduction / Motivation 2. Previous concepts 3. Virtual machine Detection 4. How malware detects VMs 5. Virtual machine emulation 6. Experimental results 7. Conclusions Agenda GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 12. 12 1. Introduction GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 13. Introduction Source: http://research.dissect.pe/docs/blackhat2012-presentation.pdf Page 13 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 14. Introduction If malware tries to avoid Virtual machines… 14 ! Why not try to emulate these environments to avoid infections? GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 15. Introduction The purposes 15 Study the characteristics of VirtualBox Specific drivers Registry keys Processes VirtualBox Guest Additions Files ! Know how the malware detects a virtual machine ! Try to replicate these configurations on a physical computer GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 16. 16 2. Previous Concepts GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 17. Previous Concepts What is Virtual Machine? Page 17 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 18. Previous Concepts What is Cuckoo Sandbox? Automated malware analysis tool Open Source Project Written in Python Extensible Reporting system (memory dumps, registry access, API calls, screenshots, network activity) Page 18 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 19. Previous Concepts What is Cuckoo Sandbox? (How It works) Page 19 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 20. 20 3. Virtual Machine Detection GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 21. Virtual Machine Detection Why? ! Malware researchers increasingly use virtual machine technology to analyze samples, since it offers many benefits: ! Multiple operating systems Ability to reset to a previous snapshot undoing changes made by malware Easily monitored Isolation ! Typical methods to detect a VME ! 1. Look for VME artifacts in processes, file system and registry 2. Look for VME specific virtual hardware 3. Look for VME specific processor capabilities Page 21 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 22. Virtual Machine Detection - VMWare Artifacts in processes, system files and registry Page 22 | GrrCON Hacker Conference | 16-17 Oct, 2014 VMWare tools Some references in system files to “VMWare” Some references in the registry to “VMWare” Some drivers: vmmouse.sys vmhgfs.sys
  • 23. Virtual Machine Detection - Virtual Box 23 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 24. Virtual Machine Detection - Virtual Box 24 VS GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 25. Specific files with VirtualBox Guest Additions System 32 Guest Additions Folder System32Drivers • VBoxDisp.dll • VBoxHook.dll • VBoxMRXNP.dll • VBoxOGLarrayspu.dll • VBoxOGLerrorspu.dll • VBoxOGLcrutil.dll • VBoxOGLerrorspu.dll • VBoxOGLfeedbackspu.dll • VBoxOGLpackspu.dll • VBoxoglpassthroughspu.dll • VBoxTray.exe • VBoxService.exe • VBoxControl.exe Page 25 | GrrCON Hacker Conference | 16-17 Oct, 2014 • VBoxDisp.dll • VBoxDrvInst.exe • VBoxVideo.inf • VBoxVideo.sys • VBoxControl.exe • VBoxGuest.sys • VBoxGuest.inf • VBoxMouse.sys • VBoxMouse.inf • VBoxTray.exe • VBoxWHQLFake.exe • DIFxAPI.dll • VBoxMouse.sys • VBoxGuest.sys • VBoxSF.sys • VBoxVideo.sys Virtual Machine Detection - Virtual Box
  • 26. Specific files and processes with VirtualBox Guest Additions Installed DRVSTOREVBoxGuest_ED40339D75DAC80 DECCD6CCCDB8E202724F5321D Page 26 | GrrCON Hacker Conference | 16-17 Oct, 2014 DRVSTOREVBOXVideo_5C9060E4 72F2B1E3E9D5353B27AF6B8DABF99D47 Processes • VBoxControl.exe • VBoxGuest.cat • VBoxGuest.inf • VBoxGuest.sys • VBoxTray.exe • VBoxDisp.dll • VBoxVideo.inf • VBoxVideo.sys • VBoxVideo.cat • VboxService.exe Virtual Machine Detection - Virtual Box
  • 27. Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSoftwareOracleVirtualBox Guest Additions InstallDir REG_SZ Guest Additions folder 27 Revision REG_SZ Revision number Version REG_SZ Version number VersionExt REG_SZ Version number HKLMHardwareDEVICEMAPScsiScsi Port 0ScSi Bus 0Target Id 0Logical Unit Id 0 Identifier REG_SZ VBOX HARDDISK HKLMHardwareDEVICEMAPScsiScsi Port 0ScSi Bus 0Target Id 1Logical Unit Id 0 Identifier REG_SZ VBOX CD-ROM HKLMHardwareDESCRIPTIONSystem SystemBiosVersion REG_MULTI_SZ VBOX -1 VideoBiosVersion REG_MULTI_SZ Oracle VM VirtualBox Version (version number) HKLMHardwareAcpiDSDTVBOX__VBOXBIOS 00000002 00000000 REG_BINARY DSDT......VBOX VBOXBIOS....INTL Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 28. Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetServicesDiskEnum 0 REG_SZ IDE 28 DiskVBOX_HARDDISK________________ ___________1.0_____ 42566264366366323661362d32656239 39632031 HKLMSystemCurrentControlSetServicesVBoxGuest DisplayName REG_SZ VirtualBox Guest Driver ImagePath REG_EXPAND_SZ system32DRIVERSVBoxGuest.sys HKLMSystemCurrentControlSetServicesVBoxGuest Enum 0 REG_SZ PCI VEN_80EE&DEV_CAFE&SUBSYS_00000 000&REV_003&267a616a&0&20 HKLMSystemCurrentControlSetServicesVBoxMouse DisplayName REG_SZ VirtualBox Guest Mouse Service ImagePath REG_EXPAND_SZ system32DRIVERSVBoxMouse.sys HKLMSystemCurrentControlSetServicesVBoxMouse Enum 0 REG_SZ ACPIPNP0F034&1d401fb5&0 Specific registry keys *These keys are in ControlSet001, ControlSet002 and CurrentControlSet folders GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 29. Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetEnumIde DiskVBOX_HARDDISK4256636463663 29 FriendlyName REG_SZ VBOX HARDDISK HKLMSystemCurrentControlSetEnumIde DiskVBOX_HARDDISK9257936463871 FriendlyName REG_SZ VBOX CD-ROM HKLMSystemCurrentControlSetServices VBoxService DisplayName REG_SZ VirtualBox Guest Aditions Service ImagePath REG_EXPAND_SZ system32VBoxService.exe Description REG_SZ Manages VM runtime information and utilities for guest operating systems. ObjectName REG_SZ LocalSystem HKLMSystemCurrentControlSetServices VBoxServiceEnum 0 REG_SZ RootLEGACY_VBOXSERVICE 0000 HKLMSystemCurrentControlSetServicesVBoxSF DisplayName REG_SZ VirtualBox Shared Folders ImagePath REG_EXPAND_SZ system32DRIVERSVBoxSF.sys Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 30. Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetServices VBoxSFEnum 30 0 REG_SZ RootLEGACY_VBOXSF0000 HKLMSystemCurrentControlSetServices VBoxSFNetworkProvider DeviceName REG_SZ DeviceVboxMinRdr Name REG_SZ VirtualBox Shared Folder ProviderPath REG_SZ %Systemroot% System32VBoxMRXNP.dll HKLMSystemCurrentControlSetServices VBoxVideo ImagePath REG_EXPAND_SZ system32DRIVERSVBoxVideo.sys HKLMSystemCurrentControlSetServices VBoxVideoDevice0 InstalledDisplayDrivers REG_MULTI_SZ VBoxDisp HKLMSystemCurrentControlSetServices VBoxVideoEnum 0 REG_SZ PCI VEN_80EE&DEV_BEEF&SUBSYS_ 00000000&REV_003&267a616a& 0&10 HKLMSystemCurrentControlSetServices VBoxVideoVideo Service REG_SZ Vbox Video Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 31. Virtual Machine Detection - Virtual Box Specific registry keys Page 31 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 32. Virtual Machine Detection - Virtual Box Example Source: http://pastebin.com/RU6A2UuB Page 32 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 33. Virtual Machine Detection - Virtual Box Example <Demo> Source: http://pastebin.com/RU6A2UuB Page 33 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 34. Virtual Machine Detection - Virtual Box Themida Page 34 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 35. Virtual Machine Detection - Virtual Box Themida <Demo> Page 35 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 36. Virtual Machine Detection - Virtual Box Physical Machine Virtual Machine 36 Pafish GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 37. 4. How malware detects Virtual Machines Page 37 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 38. How malware detects Virtual Machines Trojan-spy.win32.Carberp Source: http://github.com/hzeroo/Carberp/blob/master/source - absource/pro/all source/BlackJoeWhiteJoe/Source Page 38 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 39. How malware detects Virtual Machines Trojan-Dropper.Win32.Agent.dvyh Technical Details about Net-Worm.Win32.Kolab.wwh: https://www.securelist.com/en/descriptions/17168948/Trojan-Dropper.Win32.Agent.dvyh Page 39 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 40. How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 40 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 41. How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 41 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 42. How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 42 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 43. 43 5. Virtual Machine emulation GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 44. Conclusions Main findings and future lines of research Main findings It’s possible to simulate a virtual machine with a python script. We can avoid infections by unknown malware. ! ! Future lines of research Investigate more VM Solutions and Sandboxes. (VmWare, Sandboxie…) Try the script with more malware samples. Investigate possible side-effects in a real environment. Page 44 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 45. Thank you! https://github.com/jordisk ! Jordi@jordivazquez.com @jordisk
  • 49. Thank you! https://github.com/jordisk ! Jordi@jordivazquez.com @jordisk