View previous topic :: View next topic |
Author |
Message |
Ipsec Espah Just Arrived
Joined: 16 Mar 2003 Posts: 4
|
Posted: Sun Mar 25, 2007 2:30 am Post subject: Malware that detects VMware |
|
|
Two out of the three malware samples I downloaded from Offensive Computing wouldn't run when I ran them in a VMware image. I was running Process Explorer at the same time I ran them, and the malware never even showed up in that. I assume it is because it figured out it was running in VMware and didn't run. Is there a way to modify some of the signs of VMware that malware commonly checks for?
Moderator note: edited to fix URL tag - capi
|
|
Back to top |
|
|
Groovicus Trusted SF Member
Joined: 19 May 2004 Posts: 9 Location: Centerville, South Dakota
|
Posted: Tue Mar 27, 2007 5:39 am Post subject: |
|
|
There used to be only a few pieces of malware that can detect when they are running in a VM, and it is a pretty recent trick (recent meaning that only in the last year or so has it started to take off). However , since there is a packer or two that add VM detection, malware authors no longer have to concern themselves with figuring out how to do it themselves. It is sort of reminiscent of the virus creation software... one didn't really need know how to code at all. Try finding malware that came about in early 2006 and see if you can detect that.
As far as altering VMWare so it is undetectable to malware, umm, no. At least I don't think so. You would have to change registry keys, file names, process names, etc. I don't think one could do that and still have a working copy of VMWare when they were done. You would be better off reversing the malware and patch it to break the ability to detect virtual environments.
|
|
Back to top |
|
|
Ipsec Espah Just Arrived
Joined: 16 Mar 2003 Posts: 4
|
Posted: Thu Mar 29, 2007 7:06 pm Post subject: |
|
|
Thanks Groovicus, unfortunately I'm not a programmer so I can't do code analysis, all I can do is behavior analysis. I've just installed Hacker Defender and set it to hide vmware registry entries which went from probably over 50 to under 10 visible. It's not perfect, but it will have to do for now.
|
|
Back to top |
|
|
Groovicus Trusted SF Member
Joined: 19 May 2004 Posts: 9 Location: Centerville, South Dakota
|
Posted: Fri Mar 30, 2007 2:01 am Post subject: |
|
|
One of my favorite tools to use to monitor is Total Uninstall. It is not what you want if you are trying to monitor behavior, but at least it will let you know what is different on your system after you install it. Sometimes you can find other processes of which you were previously unaware. The Total Uninstall website has a commercial version, but I found several older versions that were free, and fully functional. I can not recall from where those versions were available.
EDIT: Found it:
http://www.aplusfreeware.com/categories/util/uninst.html
|
|
Back to top |
|
|
Ipsec Espah Just Arrived
Joined: 16 Mar 2003 Posts: 4
|
Posted: Fri Mar 30, 2007 7:11 pm Post subject: |
|
|
Looks pretty good, I'll give it a try tonight. Thanks for the link!
|
|
Back to top |
|
|
|