Saturday, 25 November 2006

First post - Virtual Machine detection

Looking through my colleague webpage, I came across a comment about a very good packer that I'm trying to analyze, Themida. But the comment wasn't about Themida features, but virtual machine detection.

Nowadays, more than 50% of the malware that we analyze has some kind of virtual machine detection in its code (typically the SIDT method), and if they detect any virtual machine, they just do nothing. So, perhaps that's a good idea for our production servers, migrating them to virtual software and in any case they got compromised, the malware code won't run on them.

But the problem is for the analyzers: using tools like vmware is something handy, but you always end up using a real machine (I even use my own laptop to analyze the malware, so my Windows XP has been infected several times). So, what is the solution? It is fairly simple: use some of those hardware cards that restore the OS state (used by example in cybercafes), and IDA Pro with its great remote debugging. When you have finished the analysis, just reboot the box and voilá, your SO is like being just installed.

Anyway, this post was about virtual machine detection, and the guys at intelguardians have some slides about all the different methods, but there is one left, discovered by Alfredo Andrés (my Yersinia colleague and friend) with the STR instruction, check it out at our company address here.

No comments: