Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Genetic method to detect the presence of any virtual machine
From: "Bipin Gautam" <gautam.bipin () gmail com>
Date: Fri, 20 Oct 2006 06:38:26 +0545

as  an genetic method to detect the presence of any virtual machine

  Gene*R*ic.  The word you're looking for is "generic".  Genetic means to do
with DNA and stuff.  Generic means universal, widespread, non-branded.

( Output inside VMWARE )
Company Brnad Name: Microsoft Corporation Virtual Machine
Motherboard Modal: Microsoft Corporation Virtual Machine


YA.... )O; And I got the two sets of query outputs mixed up as well.


Querying just few of the above mentioned information from inside the
virtual machine can IMMIDIATELY PROVE the presence of virtual machine,
not the actual system.

  True.  Is it possible to change them, short of binary patching the vm
Executable?




NO NOT POSSIBLE I SUPPOSE WITH PATCHING BECAUSE ITS A COMPLETELY BIG ISSUE HERE.


 I already told, If the virtual machine responds back too much, too
Little, UNKNOWN or suspicious hardware information on ANY SYSTEM
HARDWARE (virtual) it can always be clearly guessed the user/code is
Inside the virtual machine.
Let me explain... Changing information like Ram Memory speed,
Manufacturer, Serial No. Voltage CPU clock ratio &
Max  allowed frequency, L1, L2, L3 cache size information (which VM
has no idea right now ) & all other minor details in all hardware
peripherals & make VM respond like if it was real hardware is another
mountainous task even VMWARE developers decide to fix it. Doing it
with "just" reverse engineering, i would be really reallyyyyy impressed!

moreover...
say if all version of virtual machine finally can respond back with info
like; motherboard intel ??? , processor p4, hdd samsung, monitor
philips etc EVEN when they show such legitimate info. these all
combination of the hardware type will be a type of uniqueness, a fingerprint
of presence of VM unless VM support several hardware types & is able to
RESPOND BACK WITH VALID
LOOKING INFORMATION & have hardware DIFFERENT virtual hardware profile
that user can choose that looks like a common hardware combination
from the machine which is common in the market. but you see... but
using say names like samsung, sygate, intel, phylips,ADM & emulating
its hardwareproperty would require $$$ royalties & contract with all the
companies (for using & emulating their product as well as name)
and yet still its another big task to get cooperation from the
companies to let them do so. WHY do you think "these all issue were
represent design decisions by the software makers" (ok let us all stop
playing fool) BECAUSE this is why! Its not just a technical problem.
This way it becomes strategic & political between companies too. so
the VM makers pretend being oOooooo these were all design decisions &
all (semi?) documented hahah do we look soooooo fool?......
THIS ISSUE IS THERE TO STAY.

 Suppose even if they manage partial permission to emulate hardware BUT
THAT WOULD REQUIRE say... even when the attacker tries to firmware
upgrade on particular hardware the PC should let him do it if he/she
has system privilege (which is most of the case, & most hardware
support firmware upgrade as you know ) failure to do so could again be
a UNIQUE/SUSPECIOUS FINGERPRINT. I can already imagine DORZONS of
possibilities & issues because just a simple path isn't going to fix
this issue by any way unless the VM becomes OSS (we already have OSS
alternates) & some third party decides to write a ILLIGAL patch to fix
the issue during compile time of the binary itself (but which would
again require VERY SERIOUS REVERSE ENGINEERING TO LET THE HARDWARE
EMULATION TO HAPPEN)

a Person argued with me... no this cant be taken as a issue & once the
compromise has happen the VM has served its purpose but you see if the
attacker (say automated or manual) when detects a VM will immediately
cocoon away instead of  doing anything further & would seriously
hinder the purpose for what the HONEYPOT was made for. Like these days
we have SPAM filters which also blocks spam on email & IP (say black
list) i wouldn't be surprised if in next worm outbreak a attacker
decides to map all the IP address in the internet for few hours &
create his/her own blacklist of
NEVER_VISIT_THE_IP_AGAIN_which_runs_VIRTUAL_MACHINE..

its very possible. What do you think guys? Sow some support, write to
the companies!

-bipin

**********************************************************************
http://groups.google.com/group/AntiForensics
 -Where you will learn to PROTECT your DIGITAL PRIVECY.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault