SlideShare a Scribd company logo

Emulate virtual machines to avoid malware infections - GrrCON 2014

J
jordivazquez

The document discusses the emulation of virtual machine environments to prevent malware infections, focusing on methodologies for malware detection and virtual machine emulation. It presents findings from research on how malware identifies virtualization artifacts and proposes a Python script to simulate virtual machines to mitigate these risks. Future research directions include testing other virtualization solutions and expanding the range of malware samples for improved analysis.

Technology
1 of 49
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Emulate VM environment to avoid malware infections Jordi Vazquez
2 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
3 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
4 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
5 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
6 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
7 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
8 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
9 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Who am I? Page 10 | GrrCON Hacker Conference | 16-17 Oct, 2014
11 1. Introduction / Motivation 2. Previous concepts 3. Virtual machine Detection 4. How malware detects VMs 5. Virtual machine emulation 6. Experimental results 7. Conclusions Agenda GrrCON Page | Hacker Conference | 16-17 Oct, 2014
12 1. Introduction GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Introduction Source: http://research.dissect.pe/docs/blackhat2012-presentation.pdf Page 13 | GrrCON Hacker Conference | 16-17 Oct, 2014
Introduction If malware tries to avoid Virtual machines… 14 ! Why not try to emulate these environments to avoid infections? GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Introduction The purposes 15 Study the characteristics of VirtualBox Specific drivers Registry keys Processes VirtualBox Guest Additions Files ! Know how the malware detects a virtual machine ! Try to replicate these configurations on a physical computer GrrCON Page | Hacker Conference | 16-17 Oct, 2014
16 2. Previous Concepts GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Previous Concepts What is Virtual Machine? Page 17 | GrrCON Hacker Conference | 16-17 Oct, 2014
Previous Concepts What is Cuckoo Sandbox? Automated malware analysis tool Open Source Project Written in Python Extensible Reporting system (memory dumps, registry access, API calls, screenshots, network activity) Page 18 | GrrCON Hacker Conference | 16-17 Oct, 2014
Previous Concepts What is Cuckoo Sandbox? (How It works) Page 19 | GrrCON Hacker Conference | 16-17 Oct, 2014
20 3. Virtual Machine Detection GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection Why? ! Malware researchers increasingly use virtual machine technology to analyze samples, since it offers many benefits: ! Multiple operating systems Ability to reset to a previous snapshot undoing changes made by malware Easily monitored Isolation ! Typical methods to detect a VME ! 1. Look for VME artifacts in processes, file system and registry 2. Look for VME specific virtual hardware 3. Look for VME specific processor capabilities Page 21 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - VMWare Artifacts in processes, system files and registry Page 22 | GrrCON Hacker Conference | 16-17 Oct, 2014 VMWare tools Some references in system files to “VMWare” Some references in the registry to “VMWare” Some drivers: vmmouse.sys vmhgfs.sys
Virtual Machine Detection - Virtual Box 23 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box 24 VS GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Specific files with VirtualBox Guest Additions System 32 Guest Additions Folder System32Drivers • VBoxDisp.dll • VBoxHook.dll • VBoxMRXNP.dll • VBoxOGLarrayspu.dll • VBoxOGLerrorspu.dll • VBoxOGLcrutil.dll • VBoxOGLerrorspu.dll • VBoxOGLfeedbackspu.dll • VBoxOGLpackspu.dll • VBoxoglpassthroughspu.dll • VBoxTray.exe • VBoxService.exe • VBoxControl.exe Page 25 | GrrCON Hacker Conference | 16-17 Oct, 2014 • VBoxDisp.dll • VBoxDrvInst.exe • VBoxVideo.inf • VBoxVideo.sys • VBoxControl.exe • VBoxGuest.sys • VBoxGuest.inf • VBoxMouse.sys • VBoxMouse.inf • VBoxTray.exe • VBoxWHQLFake.exe • DIFxAPI.dll • VBoxMouse.sys • VBoxGuest.sys • VBoxSF.sys • VBoxVideo.sys Virtual Machine Detection - Virtual Box
Specific files and processes with VirtualBox Guest Additions Installed DRVSTOREVBoxGuest_ED40339D75DAC80 DECCD6CCCDB8E202724F5321D Page 26 | GrrCON Hacker Conference | 16-17 Oct, 2014 DRVSTOREVBOXVideo_5C9060E4 72F2B1E3E9D5353B27AF6B8DABF99D47 Processes • VBoxControl.exe • VBoxGuest.cat • VBoxGuest.inf • VBoxGuest.sys • VBoxTray.exe • VBoxDisp.dll • VBoxVideo.inf • VBoxVideo.sys • VBoxVideo.cat • VboxService.exe Virtual Machine Detection - Virtual Box
Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSoftwareOracleVirtualBox Guest Additions InstallDir REG_SZ Guest Additions folder 27 Revision REG_SZ Revision number Version REG_SZ Version number VersionExt REG_SZ Version number HKLMHardwareDEVICEMAPScsiScsi Port 0ScSi Bus 0Target Id 0Logical Unit Id 0 Identifier REG_SZ VBOX HARDDISK HKLMHardwareDEVICEMAPScsiScsi Port 0ScSi Bus 0Target Id 1Logical Unit Id 0 Identifier REG_SZ VBOX CD-ROM HKLMHardwareDESCRIPTIONSystem SystemBiosVersion REG_MULTI_SZ VBOX -1 VideoBiosVersion REG_MULTI_SZ Oracle VM VirtualBox Version (version number) HKLMHardwareAcpiDSDTVBOX__VBOXBIOS 00000002 00000000 REG_BINARY DSDT......VBOX VBOXBIOS....INTL Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetServicesDiskEnum 0 REG_SZ IDE 28 DiskVBOX_HARDDISK________________ ___________1.0_____ 42566264366366323661362d32656239 39632031 HKLMSystemCurrentControlSetServicesVBoxGuest DisplayName REG_SZ VirtualBox Guest Driver ImagePath REG_EXPAND_SZ system32DRIVERSVBoxGuest.sys HKLMSystemCurrentControlSetServicesVBoxGuest Enum 0 REG_SZ PCI VEN_80EE&DEV_CAFE&SUBSYS_00000 000&REV_003&267a616a&0&20 HKLMSystemCurrentControlSetServicesVBoxMouse DisplayName REG_SZ VirtualBox Guest Mouse Service ImagePath REG_EXPAND_SZ system32DRIVERSVBoxMouse.sys HKLMSystemCurrentControlSetServicesVBoxMouse Enum 0 REG_SZ ACPIPNP0F034&1d401fb5&0 Specific registry keys *These keys are in ControlSet001, ControlSet002 and CurrentControlSet folders GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetEnumIde DiskVBOX_HARDDISK4256636463663 29 FriendlyName REG_SZ VBOX HARDDISK HKLMSystemCurrentControlSetEnumIde DiskVBOX_HARDDISK9257936463871 FriendlyName REG_SZ VBOX CD-ROM HKLMSystemCurrentControlSetServices VBoxService DisplayName REG_SZ VirtualBox Guest Aditions Service ImagePath REG_EXPAND_SZ system32VBoxService.exe Description REG_SZ Manages VM runtime information and utilities for guest operating systems. ObjectName REG_SZ LocalSystem HKLMSystemCurrentControlSetServices VBoxServiceEnum 0 REG_SZ RootLEGACY_VBOXSERVICE 0000 HKLMSystemCurrentControlSetServicesVBoxSF DisplayName REG_SZ VirtualBox Shared Folders ImagePath REG_EXPAND_SZ system32DRIVERSVBoxSF.sys Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetServices VBoxSFEnum 30 0 REG_SZ RootLEGACY_VBOXSF0000 HKLMSystemCurrentControlSetServices VBoxSFNetworkProvider DeviceName REG_SZ DeviceVboxMinRdr Name REG_SZ VirtualBox Shared Folder ProviderPath REG_SZ %Systemroot% System32VBoxMRXNP.dll HKLMSystemCurrentControlSetServices VBoxVideo ImagePath REG_EXPAND_SZ system32DRIVERSVBoxVideo.sys HKLMSystemCurrentControlSetServices VBoxVideoDevice0 InstalledDisplayDrivers REG_MULTI_SZ VBoxDisp HKLMSystemCurrentControlSetServices VBoxVideoEnum 0 REG_SZ PCI VEN_80EE&DEV_BEEF&SUBSYS_ 00000000&REV_003&267a616a& 0&10 HKLMSystemCurrentControlSetServices VBoxVideoVideo Service REG_SZ Vbox Video Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Specific registry keys Page 31 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Example Source: http://pastebin.com/RU6A2UuB Page 32 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Example <Demo> Source: http://pastebin.com/RU6A2UuB Page 33 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Themida Page 34 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Themida <Demo> Page 35 | GrrCON Hacker Conference | 16-17 Oct, 2014
Virtual Machine Detection - Virtual Box Physical Machine Virtual Machine 36 Pafish GrrCON Page | Hacker Conference | 16-17 Oct, 2014
4. How malware detects Virtual Machines Page 37 | GrrCON Hacker Conference | 16-17 Oct, 2014
How malware detects Virtual Machines Trojan-spy.win32.Carberp Source: http://github.com/hzeroo/Carberp/blob/master/source - absource/pro/all source/BlackJoeWhiteJoe/Source Page 38 | GrrCON Hacker Conference | 16-17 Oct, 2014
How malware detects Virtual Machines Trojan-Dropper.Win32.Agent.dvyh Technical Details about Net-Worm.Win32.Kolab.wwh: https://www.securelist.com/en/descriptions/17168948/Trojan-Dropper.Win32.Agent.dvyh Page 39 | GrrCON Hacker Conference | 16-17 Oct, 2014
How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 40 | GrrCON Hacker Conference | 16-17 Oct, 2014
How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 41 | GrrCON Hacker Conference | 16-17 Oct, 2014
How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 42 | GrrCON Hacker Conference | 16-17 Oct, 2014
43 5. Virtual Machine emulation GrrCON Page | Hacker Conference | 16-17 Oct, 2014
Conclusions Main findings and future lines of research Main findings It’s possible to simulate a virtual machine with a python script. We can avoid infections by unknown malware. ! ! Future lines of research Investigate more VM Solutions and Sandboxes. (VmWare, Sandboxie…) Try the script with more malware samples. Investigate possible side-effects in a real environment. Page 44 | GrrCON Hacker Conference | 16-17 Oct, 2014
Thank you! https://github.com/jordisk ! Jordi@jordivazquez.com @jordisk
https://github.! com/jordisk Jordi@jordivazquez.com @jordisk
https://github.! com/jordisk Jordi@jordivazquez.com @jordisk
https://github.! com/jordisk Jordi@jordivazquez.com @jordisk
Thank you! https://github.com/jordisk ! Jordi@jordivazquez.com @jordisk

More Related Content

PDF
Docker Forensics
Joel Lathrop
 
PPTX
Operating Systems - A Primer
Saumil Shah
 
PPTX
Introduction to Debuggers
Saumil Shah
 
PPTX
How Functions Work
Saumil Shah
 
PPTX
Dive into ROP - a quick introduction to Return Oriented Programming
Saumil Shah
 
PDF
Making Security Invisible
J On The Beach
 
PDF
Programming IoT with Docker: How to Start?
msyukor
 
PDF
OpenStack Murano introduction
Victor Zhang
 
Docker Forensics
Joel Lathrop
 
Operating Systems - A Primer
Saumil Shah
 
Introduction to Debuggers
Saumil Shah
 
How Functions Work
Saumil Shah
 
Dive into ROP - a quick introduction to Return Oriented Programming
Saumil Shah
 
Making Security Invisible
J On The Beach
 
Programming IoT with Docker: How to Start?
msyukor
 
OpenStack Murano introduction
Victor Zhang
 

Similar to Emulate virtual machines to avoid malware infections - GrrCON 2014 (20)

PDF
Automated Historical Performance Analysis with kmemtracer
Kyungmin Lee
 
PDF
How to easy deploy app into any cloud
Ladislav Prskavec
 
PDF
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
 
PDF
Security in a containerized world - Jessie Frazelle
Paris Container Day
 
PDF
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
Param Singh
 
PPTX
Hacking the browser with puppeteer sharp .NET conf AR 2018
Darío Kondratiuk
 
PDF
GDGSCL - Docker a jeho provoz v Heroku a AWS
Ladislav Prskavec
 
PDF
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
AppDynamics
 
PDF
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
Cloud Native NoVA
 
PDF
Automate drupal deployments with linux containers, docker and vagrant
Ricardo Amaro
 
PDF
Hack any website
sunil kumar
 
PDF
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
Alexandre Borges
 
PDF
Learn how to build decentralized and serverless html5 applications with embar...
Alessandro Confetti
 
PDF
Learn how to build decentralized and serverless html5 applications with Embar...
Codemotion
 
PPTX
From Docker to Production - ZendCon 2016
Chris Tankersley
 
PDF
IAU workshop 2018 day one
Walid Shaari
 
PDF
Software Define your Current Storage with Opensource
Antonio Romeo
 
PPTX
Securing your Cloud Environment v2
ShapeBlue
 
PDF
PHP QA Tools
rjsmelo
 
PDF
Caching with Varnish
schoefmax
 
Automated Historical Performance Analysis with kmemtracer
Kyungmin Lee
 
How to easy deploy app into any cloud
Ladislav Prskavec
 
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
 
Security in a containerized world - Jessie Frazelle
Paris Container Day
 
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
Param Singh
 
Hacking the browser with puppeteer sharp .NET conf AR 2018
Darío Kondratiuk
 
GDGSCL - Docker a jeho provoz v Heroku a AWS
Ladislav Prskavec
 
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
AppDynamics
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
Cloud Native NoVA
 
Automate drupal deployments with linux containers, docker and vagrant
Ricardo Amaro
 
Hack any website
sunil kumar
 
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
Alexandre Borges
 
Learn how to build decentralized and serverless html5 applications with embar...
Alessandro Confetti
 
Learn how to build decentralized and serverless html5 applications with Embar...
Codemotion
 
From Docker to Production - ZendCon 2016
Chris Tankersley
 
IAU workshop 2018 day one
Walid Shaari
 
Software Define your Current Storage with Opensource
Antonio Romeo
 
Securing your Cloud Environment v2
ShapeBlue
 
PHP QA Tools
rjsmelo
 
Caching with Varnish
schoefmax
 
Ad

Recently uploaded (20)

PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Modernising the Digital Integration Hub
Daniel Toomey
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Ad

Emulate virtual machines to avoid malware infections - GrrCON 2014

  • 1. Emulate VM environment to avoid malware infections Jordi Vazquez
  • 2. 2 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 3. 3 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 4. 4 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 5. 5 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 6. 6 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 7. 7 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 8. 8 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 9. 9 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 10. Who am I? Page 10 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 11. 11 1. Introduction / Motivation 2. Previous concepts 3. Virtual machine Detection 4. How malware detects VMs 5. Virtual machine emulation 6. Experimental results 7. Conclusions Agenda GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 12. 12 1. Introduction GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 14. Introduction If malware tries to avoid Virtual machines… 14 ! Why not try to emulate these environments to avoid infections? GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 15. Introduction The purposes 15 Study the characteristics of VirtualBox Specific drivers Registry keys Processes VirtualBox Guest Additions Files ! Know how the malware detects a virtual machine ! Try to replicate these configurations on a physical computer GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 16. 16 2. Previous Concepts GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 17. Previous Concepts What is Virtual Machine? Page 17 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 18. Previous Concepts What is Cuckoo Sandbox? Automated malware analysis tool Open Source Project Written in Python Extensible Reporting system (memory dumps, registry access, API calls, screenshots, network activity) Page 18 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 19. Previous Concepts What is Cuckoo Sandbox? (How It works) Page 19 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 20. 20 3. Virtual Machine Detection GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 21. Virtual Machine Detection Why? ! Malware researchers increasingly use virtual machine technology to analyze samples, since it offers many benefits: ! Multiple operating systems Ability to reset to a previous snapshot undoing changes made by malware Easily monitored Isolation ! Typical methods to detect a VME ! 1. Look for VME artifacts in processes, file system and registry 2. Look for VME specific virtual hardware 3. Look for VME specific processor capabilities Page 21 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 22. Virtual Machine Detection - VMWare Artifacts in processes, system files and registry Page 22 | GrrCON Hacker Conference | 16-17 Oct, 2014 VMWare tools Some references in system files to “VMWare” Some references in the registry to “VMWare” Some drivers: vmmouse.sys vmhgfs.sys
  • 23. Virtual Machine Detection - Virtual Box 23 GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 24. Virtual Machine Detection - Virtual Box 24 VS GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 25. Specific files with VirtualBox Guest Additions System 32 Guest Additions Folder System32Drivers • VBoxDisp.dll • VBoxHook.dll • VBoxMRXNP.dll • VBoxOGLarrayspu.dll • VBoxOGLerrorspu.dll • VBoxOGLcrutil.dll • VBoxOGLerrorspu.dll • VBoxOGLfeedbackspu.dll • VBoxOGLpackspu.dll • VBoxoglpassthroughspu.dll • VBoxTray.exe • VBoxService.exe • VBoxControl.exe Page 25 | GrrCON Hacker Conference | 16-17 Oct, 2014 • VBoxDisp.dll • VBoxDrvInst.exe • VBoxVideo.inf • VBoxVideo.sys • VBoxControl.exe • VBoxGuest.sys • VBoxGuest.inf • VBoxMouse.sys • VBoxMouse.inf • VBoxTray.exe • VBoxWHQLFake.exe • DIFxAPI.dll • VBoxMouse.sys • VBoxGuest.sys • VBoxSF.sys • VBoxVideo.sys Virtual Machine Detection - Virtual Box
  • 26. Specific files and processes with VirtualBox Guest Additions Installed DRVSTOREVBoxGuest_ED40339D75DAC80 DECCD6CCCDB8E202724F5321D Page 26 | GrrCON Hacker Conference | 16-17 Oct, 2014 DRVSTOREVBOXVideo_5C9060E4 72F2B1E3E9D5353B27AF6B8DABF99D47 Processes • VBoxControl.exe • VBoxGuest.cat • VBoxGuest.inf • VBoxGuest.sys • VBoxTray.exe • VBoxDisp.dll • VBoxVideo.inf • VBoxVideo.sys • VBoxVideo.cat • VboxService.exe Virtual Machine Detection - Virtual Box
  • 27. Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSoftwareOracleVirtualBox Guest Additions InstallDir REG_SZ Guest Additions folder 27 Revision REG_SZ Revision number Version REG_SZ Version number VersionExt REG_SZ Version number HKLMHardwareDEVICEMAPScsiScsi Port 0ScSi Bus 0Target Id 0Logical Unit Id 0 Identifier REG_SZ VBOX HARDDISK HKLMHardwareDEVICEMAPScsiScsi Port 0ScSi Bus 0Target Id 1Logical Unit Id 0 Identifier REG_SZ VBOX CD-ROM HKLMHardwareDESCRIPTIONSystem SystemBiosVersion REG_MULTI_SZ VBOX -1 VideoBiosVersion REG_MULTI_SZ Oracle VM VirtualBox Version (version number) HKLMHardwareAcpiDSDTVBOX__VBOXBIOS 00000002 00000000 REG_BINARY DSDT......VBOX VBOXBIOS....INTL Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 28. Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetServicesDiskEnum 0 REG_SZ IDE 28 DiskVBOX_HARDDISK________________ ___________1.0_____ 42566264366366323661362d32656239 39632031 HKLMSystemCurrentControlSetServicesVBoxGuest DisplayName REG_SZ VirtualBox Guest Driver ImagePath REG_EXPAND_SZ system32DRIVERSVBoxGuest.sys HKLMSystemCurrentControlSetServicesVBoxGuest Enum 0 REG_SZ PCI VEN_80EE&DEV_CAFE&SUBSYS_00000 000&REV_003&267a616a&0&20 HKLMSystemCurrentControlSetServicesVBoxMouse DisplayName REG_SZ VirtualBox Guest Mouse Service ImagePath REG_EXPAND_SZ system32DRIVERSVBoxMouse.sys HKLMSystemCurrentControlSetServicesVBoxMouse Enum 0 REG_SZ ACPIPNP0F034&1d401fb5&0 Specific registry keys *These keys are in ControlSet001, ControlSet002 and CurrentControlSet folders GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 29. Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetEnumIde DiskVBOX_HARDDISK4256636463663 29 FriendlyName REG_SZ VBOX HARDDISK HKLMSystemCurrentControlSetEnumIde DiskVBOX_HARDDISK9257936463871 FriendlyName REG_SZ VBOX CD-ROM HKLMSystemCurrentControlSetServices VBoxService DisplayName REG_SZ VirtualBox Guest Aditions Service ImagePath REG_EXPAND_SZ system32VBoxService.exe Description REG_SZ Manages VM runtime information and utilities for guest operating systems. ObjectName REG_SZ LocalSystem HKLMSystemCurrentControlSetServices VBoxServiceEnum 0 REG_SZ RootLEGACY_VBOXSERVICE 0000 HKLMSystemCurrentControlSetServicesVBoxSF DisplayName REG_SZ VirtualBox Shared Folders ImagePath REG_EXPAND_SZ system32DRIVERSVBoxSF.sys Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 30. Virtual Machine Detection - Virtual Box Folder Key Type Value HKLMSystemCurrentControlSetServices VBoxSFEnum 30 0 REG_SZ RootLEGACY_VBOXSF0000 HKLMSystemCurrentControlSetServices VBoxSFNetworkProvider DeviceName REG_SZ DeviceVboxMinRdr Name REG_SZ VirtualBox Shared Folder ProviderPath REG_SZ %Systemroot% System32VBoxMRXNP.dll HKLMSystemCurrentControlSetServices VBoxVideo ImagePath REG_EXPAND_SZ system32DRIVERSVBoxVideo.sys HKLMSystemCurrentControlSetServices VBoxVideoDevice0 InstalledDisplayDrivers REG_MULTI_SZ VBoxDisp HKLMSystemCurrentControlSetServices VBoxVideoEnum 0 REG_SZ PCI VEN_80EE&DEV_BEEF&SUBSYS_ 00000000&REV_003&267a616a& 0&10 HKLMSystemCurrentControlSetServices VBoxVideoVideo Service REG_SZ Vbox Video Specific registry keys GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 31. Virtual Machine Detection - Virtual Box Specific registry keys Page 31 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 32. Virtual Machine Detection - Virtual Box Example Source: http://pastebin.com/RU6A2UuB Page 32 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 33. Virtual Machine Detection - Virtual Box Example <Demo> Source: http://pastebin.com/RU6A2UuB Page 33 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 34. Virtual Machine Detection - Virtual Box Themida Page 34 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 35. Virtual Machine Detection - Virtual Box Themida <Demo> Page 35 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 36. Virtual Machine Detection - Virtual Box Physical Machine Virtual Machine 36 Pafish GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 37. 4. How malware detects Virtual Machines Page 37 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 38. How malware detects Virtual Machines Trojan-spy.win32.Carberp Source: http://github.com/hzeroo/Carberp/blob/master/source - absource/pro/all source/BlackJoeWhiteJoe/Source Page 38 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 39. How malware detects Virtual Machines Trojan-Dropper.Win32.Agent.dvyh Technical Details about Net-Worm.Win32.Kolab.wwh: https://www.securelist.com/en/descriptions/17168948/Trojan-Dropper.Win32.Agent.dvyh Page 39 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 40. How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 40 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 41. How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 41 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 42. How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh Page 42 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 43. 43 5. Virtual Machine emulation GrrCON Page | Hacker Conference | 16-17 Oct, 2014
  • 44. Conclusions Main findings and future lines of research Main findings It’s possible to simulate a virtual machine with a python script. We can avoid infections by unknown malware. ! ! Future lines of research Investigate more VM Solutions and Sandboxes. (VmWare, Sandboxie…) Try the script with more malware samples. Investigate possible side-effects in a real environment. Page 44 | GrrCON Hacker Conference | 16-17 Oct, 2014
  • 45. Thank you! https://github.com/jordisk ! Jordi@jordivazquez.com @jordisk
  • 49. Thank you! https://github.com/jordisk ! Jordi@jordivazquez.com @jordisk