Information Security News: Hackers Use Virtual Machine Detection To Foil Researchers

[InfoSec News <alerts () infosecnews org>]

http://www.informationweek.com/software/showArticle.jhtml?articleID=194500277

By Gregg Keizer
InformationWeek
Nov 20, 2006

Hackers are adding virtual machine detection to their worms and Trojans 
to stymie analysis by anti-virus labs, a security research said Sunday.

The tactic is designed to thwart researchers who use virtualization 
software, notably that made by VMware, to quickly and safely test the 
impact of malicious code. Researchers will often run malware in a 
virtual machine to protect the system's actual operating system from 
infection; virtualization software also lets analysts test malware 
against multiple operating systems on a single computer.

"Three out of 12 malware specimens recently captured in our honeypot 
refused to run in VMware," said Lenny Zeltser, an analyst at SANS 
Institute's Internet Storm Center (ISC) in an online note Sunday.

Malware writers use a variety of techniques to detect virtualization, 
including sniffing out the presence of VMware-specific processes and 
hardware characteristics, said Zeltser. "More reliable techniques rely 
on assembly-level code that behaves differently on a virtual machine 
than on a physical host," he added.

Researchers can fight back, Zeltser said, by patching the malicious code 
so that the virtual machine routine(s) never executes, or by modifying 
the virtual machine to make it more difficult for malware to detect that 
it's running in a virtual environment.

Two other ISC researchers, Tom Liston and Ed Skoudis, spelled out 
anti-detection techniques at a recent SANS conference. The paper can be 
downloaded from the ISC site as a PDF file [1].

[1] http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf


_________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn