Results 1 to 4 of 4

Thread: Malware and Virtual Environments

  1. #1
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries

    Malware and Virtual Environments

    I was browsing around the Matrix to see if there was any new color of pill on the market ;-), and found a few interesting items.

    It's bad enough having to deal with packers, encryption and antidebugging, the latest bugbear is of course Virtual Machine detection. If a malware detects say VMWare, it can simply decide not to run or to run in a modified fashion in order to hide its true nature. Even Themida is getting on that bandwagon.

    The following 2 papers seem to be a nice overview of the current state of VM detection, and more interestingly the potential of hiding the fact that a malware is running within a virtual environment.

    Thwarting Virtual Machine Detection

    Attacks on Virtual Machine Emulators

    In a somewhat related throw-malware-a-curve-ball story, here is an interesting looking automagic malware analyzer. It gives a summary of the behaviour of an executable after it is run under a "simulated" environment. The product isn't a virtual machine per se but,.. well I'm not sure how the heck it works really, but it would be fun to play with...

    Sandbox Malware Analyzer

    Norman SandBox is the core component of Norman SandBox Analyzer, this module is compatible with Windows functions such as Winsock, Kernel and MPR and also supports network and Internet functions like HTTP, FTP, SMTP, DNS, IRC, and P2P.In other words it is a fully simulated computer, isolated within the NSA application.

    The simulator uses full ROM BIOS capacities, simulated hardware, simulated hard drives, etc. This simulator emulates the entire bootstrap of a regular system at boot-time, starting by loading the operating system files and the command shell from the simulated drive. This drive will contain directories and files that are necessary parts of the system, conforming to system files on physical hard drives.

    The file to be analyzed is loaded into the simulated hard disk and will be started in the simulated environment. Inside the simulated environment the file may do whatever it wants. It can infect files. It can delete files. It can copy itself over networks. It can connect to an IRC server. It can send e-mails. It can set up listening ports. Every action it takes is being registered by the antivirus program, because it is effectively the emulator that does the actions based on the code in the file. No code is executed on the real CPU except for the antivirus emulator engine; even the hardware in the simulated PC is emulated.


  2. #2

    Some more
    Real ones don't need source

  3. #3
    Evading the Norman SandBox Analyzer
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Quote Originally Posted by Kayaker View Post
    The product isn't a virtual machine per se but,.. well I'm not sure how the heck it works really
    It's an emulator.

    In regard to Nico's post, more on Red Pill:

Similar Threads

  1. Virtual PC 2007
    By malikah in forum The Newbie Forum
    Replies: 2
    Last Post: April 28th, 2008, 15:10
  2. PE question - Subsystem Environments
    By TBone in forum The Newbie Forum
    Replies: 1
    Last Post: February 4th, 2008, 21:08
  3. Soft-ICE/DOS 2.80 + MS Virtual PC?
    By modest in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: March 13th, 2006, 19:19
  4. What is Virtual PC technology ?
    By daniel in forum Off Topic
    Replies: 2
    Last Post: December 15th, 2005, 02:18


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts