SANS ISC: Virtual Machine Detection in Malware via Commercial Tools

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Virtual machine detection is a self-defensive property of many malware specimens. It is aimed at making it harder to examine the malicious program, because virtualization software, such as VMware, is a very popular tool among malware analysts. For instance, 3 our of 12 malware specimens recently captured in our honeypot refused to run in VMware.

There are many ways for malicious code to detect that it's running in VMware: looking at the presence of VMware-specific processes and hardware characteristics are some of the simpler ones. More reliable techniques rely on assembly-level code that behaves differently on a virtual machine than on a physical host. VMware-detecting features are sometimes built directly into the malicious program, and are sometimes added by a third-party packing utility. (A packer is a utility that modifies the original progral to conceal its strings, disable debuggers, detect VMware, and so on.)

We recently encountered a malicious program that was packed with a commercial packer called Themida. (Thanks for the heads up, Johannes!) This packer includes support for virtual machine detection, as you can see in the screen capture below:

If you're surprised that commercial packers exist, don't be. Programmers often rely on packers to protect legitimate programs from reverse-engineering. Specifically, "Themida is very popular in China, because developers use it to protect mobile applications," according to one post on the ExeTools Forum. "They want maximum security to protect their sensitive communication between software + mobiles."

Themida is probably based on an earlier packer called Xtreme-Protector; both tools seem to have been written by the same author. The Xtreme-Protector website includes a whitepaper that outlines some of the anti-reversing features built into this program.

As a malware analyst, one way you can deal with packed executables that check for the presence of VMware is to patch the malicious code, so that the offending routine never executes. Another option is to modify your VMware instance to make it more dificult for the malicious program to detect that it's running in a virtual machine. Such VMware-concealing  techniques are still relatively immature, but they were documented by Tom Liston and Ed Skoudis at a recent SANS conference. The sides for their presentation Thwarting Virtual Machine Detection are available on-line.

Lenny Zeltser
ISC Handler on Duty
www.zeltser.com