Uncategorized

faking virtual firmware to thwart malware authors

Thomas Roccia write a new blog post on watching how malware detects VM’s virtualized hardware/firmware resources, including a defensive POC and a pointer to a similar tool.

Stopping Malware With a Fake Virtual Machine
As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats can also detect monitoring tools used for malware analysis. Often such malware will not execute or change their behavior to appear harmless. Because some malware uses these tactics, planting fake virtual machine artefacts or fake analysis tools on a system could stop their malicious behavior. We have created a quick proof of concept (POC) to demonstrate this defensive tactic. […] A lot of registry keys are created by specific tools or by sandbox emulation. Using the Windows API RegCreateKeyEx we can create all the (fake) keys normally created by a virtual hypervisor. The following list shows of few of the potential registry keys that malware can detect:
    HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\“Identifier”;“VMWARE”
    HKLM\SOFTWARE\VMware, Inc.\VMware Tools
    HKLM\HARDWARE\Description\System\ “SystemBiosVersion”;”VMWARE”
    HKLM\HARDWARE\Description\System\”SystemBiosVersion”;VBOX
    HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
    HKLM\HARDWARE\ACPI\DSDT\VBOX__

https://securingtomorrow.mcafee.com/mcafee-labs/stopping-malware-fake-virtual-machine/

https://github.com/fr0gger/RocProtect-V1

 

 

Standard

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s