Author Topic: Virtual Machines and Malware (Read 1736 times)

Tsar · « **on:** December 01, 2011, 06:16:33 am »

I was wondering if anyone here is knowledgeable about Virtual Machines - in particular the "Anti-VM" code/techniques that a lot of malicious software uses.

Will "Anti-VM" code/techniques usually allow malware to be able to break out of the VM? Or does it just detect the VM and not run.
If both, which one is more prevalent?
What are the ways malware can break out of VM's, and how can they be stopped.

What I hope to find is a good configuration/tips for testing malware in VM environments by understanding the inner workings and exploits Anti-VM code my make use of, many people think virtual environments allow you to run malware isolated and therefore leaving the main machine unaffected, but this is not the case.

I was able to find this link:
http://superuser.com/questions/289054/is-my-host-machine-completely-isolated-from-a-virus-infected-virtual-machine

Some tips listed are:
Disable x86 virtualization
Disable networking on VM
Disable shared folders/file sharing between Host and VM

I would like to hear more from someone thing more experience in this however, so does anyone have experience with Anti-VM code/techniques and know details of how they work?

FuyuKitsune · « **Reply #1 on:** December 01, 2011, 08:28:31 pm »

Nearly all anti-VM just detects it. It usually checks the hardware configuration for generic or VM hardware. There are ways to check for abnormalities in memory, like the method used to detect the the old hypervisor debugger SoftICE.

VM escaping is fairly rare because it usually requires an exploit. A much easier exit would be going through files shares and computers on the VM's LAN, like the tips you listed, but those should not on by default.

I think the guy on superusers knows more about it than I do.

Tsar · « **Reply #2 on:** December 02, 2011, 01:02:33 am »

Quote from: FuyuKitsune on December 01, 2011, 08:28:31 pm

Nearly all anti-VM just detects it.

So most just detect it and decide what to do if it is running in a VM? (Like choosing to stop running for example?)

FuyuKitsune · « **Reply #3 on:** December 02, 2011, 02:39:00 am »

Quote from: Tsar on December 02, 2011, 01:02:33 am

So most just detect it and decide what to do if it is running in a VM? (Like choosing to stop running for example?)

Yup. If it's a trojan, the good antis will run the program they're bound to. A lot of crappy antis just exit and do nothing. It's really freaking obvious that something's infected if it runs for two seconds and then instantly stops after being put in a VM or Sandbox.

Jath · « **Reply #4 on:** December 04, 2011, 03:03:30 am »

He's a some info about breaking out of KVM

http://www.youtube.com/watch?v=hCPFlwSCmvU

i watched it a few weeks back. I don't remember if the talk was given at both blackhat and defcon or just defcon.

edit: yup, the talk was given at both blackhat and defcon. I watched the blackhat talk but they should be the same.

EvilZone

News:

Author Topic: Virtual Machines and Malware (Read 1736 times)

Tsar

Virtual Machines and Malware

FuyuKitsune

Re: Virtual Machines and Malware

Tsar

Re: Virtual Machines and Malware

FuyuKitsune

Re: Virtual Machines and Malware

Jath

Re: Virtual Machines and Malware