… and – in this we were correct – they are. You can basically find virtual machines:
- In companies running their internal servers as a VM for easier maintenance
- On Thin Client, where the end-users have simple terminals instead of “real” systems (for reasons of easier maintenance again)
- In clouds like the Amazon cloud where you can just “click your own system” within minutes
- As virtual appliances, simple systems which only have one job (like a network proxy). Easy to install.
However, due to our assumption we decided not to bother with the virtual machine detection.
That’s where we went wrong.
Now, at the end of 2014, about 20% of the malware out there still detects VMs. Especially the complicated-and-interesting malware does. Back when we started, we estimated that not more than a one-figure number would be able to do it by now!
Symantec released an article which covers that topic. Furthermore our own numbers show similar results (ours are a bit biased though: For the iTES project we filter out all the “boring” malware before we send the remaining samples to Cuckoo).
Malware detects virtual machines just to annoy the antivirus vendors
One way to classify samples in a virus lab is to run the suspicious sample in a VM and monitor its behavior. If it does attack the system, it’s malware – and that’s why malware is detecting whether or not it is running in a virtual machine and changes its own behavior accordingly. In the Avira Virus Lab we do not rely on a single classification method but combine several ones. So this is not really an issue.
But for our research project I wanted to observe the malicious behavior of even the trickiest malware in a virtual machine … a problem that obviously needs to be solved.
VM Detection and a Paranoid Fish
There are many ways to detect if your program is running in a VM. The most common ones are:
- Detect hardware configuration
- Network MAC address
- HD vendor Name
- BIOS vendor
- Video BIOS vendor
- Detect installed guest additions
- Detect specific registry keys
- Some malware detects a specific machine ID (for example based on a fingerprint on the user ID and the hardware being used)
These tricks are surprisingly simple and yet seem to be very effective.
Instead of writing a documentation on how to detect a VM I decided to add the identified tricks to a cool Open Source project: The Paranoid Fish (PaFish. If you are interested you can find my changes in the dev-chaos branch). For me as a programmer writing code (especially as simple and structured as required for PaFish) is like writing a documentation that executes and helps in the next step:
VM Cloaking
This step starts with hardware configuration to create a cloaked VM. You will have to do this before being able to install any operation system. After the OS is installed there will be other buttons to press: Registry settings and basic program configuration. Back in the “good old days” we had whole manuals on how to do it and configured the virtual machines manually; a quite boring and error prone task. Instead of writing another how-to we (Jurriaan Bremer and I) decided to fix it once-and-forever: We created a tool called VMCloak that can mass-produce ready-to-use cloaked VMs.
Just add your requirements to a configuration file, start the script, wait 2 coffees and you will have a dozen VMs.
Please welcome VMCloak
VMCloak will:
- Set up the virtual machine, including the appropriate hardware setup -like proper hardware ids, >50 GB of HD space (lesser is a sign for a VM), …
- Install the OS
- Set up networking
- Install applications
- Do some system config to cloak the machine
- …and it can install everything required for Cuckoo Sandbox
To give you a small glimpse of the very useful features VMCloak offers I’ll go into more detail concerning its dependencies (aka “automatically install programs”). A complete documentation can be found here.
When analyzing the behavior of a malicious sample you normally want some programs installed which then will be attacked by the malware. That can include old browsers, PDF readers, Flash players, you name it. Also, when doing a manual analysis, you want you default tools to view the running processes, system changes, etc.
Dependencies are small configuration snippets that allow VMCloak to automatically install programs after the OS has been set up. They define the filename of the setup file, which buttons have to be clicked to get through the installation and some additional information like flags, description, and even dependencies.
Without any kind of automation one would waste minutes to hours in order to click the next button.
Test your skillz
PaFish and VMCloak are Open Source and available for everyone. Especially VMCloak is still very young and there are lots of opportunities to test it and show your superior skillz:
- Add application packages (dependencies) for automatic program installation
- Add more cloaking (add PaFish VM detection followed by VMCloak cloaking, chess against yourself)
- Windows 7 installation or other – for programming admins
- Create virtual machines using VMWare, KVM, …
The opportunities are endless, so just go ahead.
TL;DR:
No need to ever create a virtual machine for malware analysis again. Use VMCloak.
For Science !
Thorsten Sick