Other issues in this category (38)
Playing hide and seek in the sandbox: Dr.Web vxCube’s capabilities
Friday, April 9, 2021
When it comes to exposing malware, people often regard sandboxes as a failure-proof solution. They assume that launching a sample in a sandbox will incite the malware to manifest its malicious features and thus reveal its true nature. Naturally, malware makers are also well aware of this assumption and do their best to ensure that the true purpose of their 'products' remains undiscovered even in a sandbox. They also expect that whoever decides to examine their malicious programs more closely will do so by launching them in a virtual machine.
To prevent malicious actions from being exposed in either of these scenarios, malware makers need to give their programs the ability to detect whether they are being run in an isolated environment. Interestingly, some users also know this and make adjustments to their systems so that their PCs will appear as a VM to malware. And that brings up memories of the good old days when all sorts of malware immunizers were enjoying widespread popularity. Back in the 1990s, the first anti-viruses existed alongside so-called vaccines—programs that made files appear as though they had already been compromised so that viruses would not infect them. Can such a trick replace anti-viruses? Of course not. Many malicious programs are not equipped with anti-VM features. Why? If anything, just because many companies run their servers in virtual machines. Furthermore, users who work remotely are often advised to use virtual machines to access their corporate infrastructures.
How can a program tell that it is being launched in a VM? Real PCs are built using a wide variety of hardware, such as hard drives from different manufacturers, all sorts of graphics cards and network adapters. Only the BIOS firmware remains constant. Meanwhile, virtual machines use similar system configurations. Because of this, system information can help us reach certain conclusions.
In virtual machines, operating systems often run specific services, and certain drivers and applications (such as VMware Tools) are present in the system. In Windows, signs of a virtual machine can also be found in the registry.
For instance, if a VMware Workstation is being used, port 0x5658 is utilised for interaction between the guest and host operating systems. If 0x564d5868 is written into the EAX register and 0x0A is assigned to the ECX register, the command will return the current version of the VMware Workstation installed in the system.
The utility Pafish (Paranoid Fish) can also be used to determine whether a VM is being used. This utility checks the following system parameters:
- Hard disk and RAM size;
- Screen resolution;
- Mouse cursor movements;
- TSC (timestamp counter) time difference;
- The presence of software, device IDs, and MAC addresses that indicate a virtual machine is being used.
Here is an example of running Pafish in a virtual machine:
The screenshot demonstrates that Pafish has successfully detected an analysis environment by measuring a timestamp counter difference. Even though hardware virtualisation can be used to circumvent this limitation, configuring the software properly is not an easy task—the exact number of clock cycles for the vmexit and vmresume routines needs to be determined.
Doctor Web offers its customers the opportunity to take advantage of the innovative cloud-based service Dr.Web vxCube, which lets users upload suspicious files for in-depth examination. The files are launched in a specially designed virtual machine that prevents uploaded samples from determining that they are being launched in a virtual environment.
The experience of analysing huge quantities of malicious programs has allowed Doctor Web’s security researchers to learn more about the techniques that malware authors employ to detect whether a program is being run in a virtual machine. This knowledge has been used to create technologies that enable Dr.Web vxCube to evade anti-VM detection. For example, malicious programs will never be able to take advantage of any piece of the information listed below:
- CPU fan information;
- The presence of ACPI temperature readings;
- The availability of shortcuts, installed applications and Windows updates;
- information about Xeon CPUs and others.
Doctor Web keeps a watchful eye on the latest developments in hacker techniques and promptly introduces new technologies into Dr.Web vxCube that will neutralise them. As of August 2020, Dr.Web vxCube was using a record number of over 370 techniques to prevent malware from evading analysis.
Let's put Pafish in Dr.Web vxCube:
The examination starts. Note that a user can simply wait until the examination is complete or use VNC to log into the VM and perform their custom actions, if necessary. In this case, if they log into the virtual machine, they will see how Pafish is working:
As you can see, all the checks have been passed successfully and the artificial environment hasn't been detected. But has the service been able to discover that it was being analysed?
Now that the program's operation has been analysed (note that you can also specify the examination time before the analysis starts), we can scroll down the report page to the Behavior section. Here we can see the VM detection entry. We can also check the Description section for details:
The Anti-virus Times recommends
If you need to examine a certain program for malicious features, Dr.Web vxCube is the service for you. The program you're going to examine will never learn that it's being watched, and Dr.Web vxCube will not only help you expose its malicious payload but also generate a custom build of Dr.Web CureIt! to neutralise this specific malicious program.