• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Malware that detects VMware

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms

View previous topic :: View next topic  
Author Message
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Sun Mar 25, 2007 2:30 am    Post subject: Malware that detects VMware Reply with quote

Two out of the three malware samples I downloaded from Offensive Computing wouldn't run when I ran them in a VMware image. I was running Process Explorer at the same time I ran them, and the malware never even showed up in that. I assume it is because it figured out it was running in VMware and didn't run. Is there a way to modify some of the signs of VMware that malware commonly checks for?

Moderator note: edited to fix URL tag - capi
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Tue Mar 27, 2007 5:39 am    Post subject: Reply with quote

There used to be only a few pieces of malware that can detect when they are running in a VM, and it is a pretty recent trick (recent meaning that only in the last year or so has it started to take off). However , since there is a packer or two that add VM detection, malware authors no longer have to concern themselves with figuring out how to do it themselves. It is sort of reminiscent of the virus creation software... one didn't really need know how to code at all. Try finding malware that came about in early 2006 and see if you can detect that.

As far as altering VMWare so it is undetectable to malware, umm, no. At least I don't think so. You would have to change registry keys, file names, process names, etc. I don't think one could do that and still have a working copy of VMWare when they were done. You would be better off reversing the malware and patch it to break the ability to detect virtual environments.
Back to top
View user's profile Send private message Visit poster's website
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Thu Mar 29, 2007 7:06 pm    Post subject: Reply with quote

Thanks Groovicus, unfortunately I'm not a programmer so I can't do code analysis, all I can do is behavior analysis. I've just installed Hacker Defender and set it to hide vmware registry entries which went from probably over 50 to under 10 visible. It's not perfect, but it will have to do for now.
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Fri Mar 30, 2007 2:01 am    Post subject: Reply with quote

One of my favorite tools to use to monitor is Total Uninstall. It is not what you want if you are trying to monitor behavior, but at least it will let you know what is different on your system after you install it. Sometimes you can find other processes of which you were previously unaware. The Total Uninstall website has a commercial version, but I found several older versions that were free, and fully functional. I can not recall from where those versions were available.

EDIT: Found it:
http://www.aplusfreeware.com/categories/util/uninst.html
Back to top
View user's profile Send private message Visit poster's website
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Fri Mar 30, 2007 7:11 pm    Post subject: Reply with quote

Looks pretty good, I'll give it a try tonight. Thanks for the link!
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register