malware analysis and defeating using virtual machines

1

THE DETECTION AND DEFEATING OF MALWARE IN POPULAR VIRTUAL MACHINES

2Objective

To study the VM detection techniques in popular Virtual machines.

Develop strategy to counter the detection. Prevent analysis aware malwares from

detecting VM.

3Plan of Action Introduction VM detection techniques Detection techniques in VMware, VirtualBox and

VirtualPC. Related Work Prevent Analysis aware malwares from detecting VM. VMDetectGuard – Tool to mask VM detection :

Windows Optimization of VMDetectGuard Results

4

Introduction

5Malware Malware: It is a collective term for

any malicious software which enters the system without the authorization of the user of the system.

Anti-virus/anti-malware products do not guarantee complete protection.

6Present Scenario

Security researchers use malware analysis tools to build defenses against the unknown malware forms.

They then build patches for the newly discovered vulnerabilities and exploits.

Virtualization has emerged as a very promising technology.

Malware analyst use Virtual Machine Environment (VME), debuggers and sandboxes in their analysis work.

7VirtualizationA software based representation of a

computer that executes programs in the same way as a real computer.

Examples, VMware, Virtual PC, VirtualBox.Advantages

Reduced capital and operational costs through more efficient use of hardware resources.

Simplifies maintenance . Improves scalability and deployment agility. Improves reliability.

8Benefits of Virtualization to Security Researchers

Researchers can intrepidly execute potential malware samples without having their systems affected.

If a malware destabilizes the OS, analyst just needs to load in a fresh image on a VM.

Reduces time and cost. Increases productivity.

9Analysis Awareness Functionality

Malware developers have added a new functionality to malware.

Detect the presence of analysis tools such as VMs, debuggers and sandboxes.

Hide their malicious behavior on detection. Analysis Aware / Split Personality malware.

10Related Work

Carpenter (Carpenter et al., 2007) proposes two mitigation techniques.

They aim at tricking the malware by1. Changing the configuration settings of the .vmx

file present on the host system and,2. Altering the magic value to break the guest-host

communication channel.

11Drawbacks of the First

Approach The configuration options break the

communication channel between guest and host not just for the program trying to detect the VM, but for all the programs.

Moreover the authors claim that these are undocumented features and that they are not aware of any side effects.

12Related Work

The work by Guizani (Guizani et al., 2009) provides an effective solution for Server-Side Dynamic Code Analysis.

Small part of the solution deals with tricking the Split Personality malware that employ Memory Detection and VM Communication Channel Detection techniques.

13Related Work

Kalpa Vishnani et. al. 2011: Masks all the detection techniques used in Vmware.

14Related Work

Other works concentrate Detecting this category of malwares Running in host machine

Save the current state quickly restore to previous state

Virtual machines in the order of market share VMware, Virtual PC, and Virtual Box.

15VM Detection

Techniques Hardware fingerprinting Registry Check Process and File Check Memory Check Timing Analysis Communication Channel Check Invalid Instruction Check

16Hardware

Fingerprinting Involves looking for specific virtualized

hardware. VMs give an abstracted view of many hardware

components. Querying for such components reveals VM

presence. For Example: BIOS, Motherboard, SCSI

Controllers, USB Controllers, etc.

17

Hardware Fingerprinting Results

18Registry Check

The registry entries contain hundreds of references to the string containing the name of the VM, Ex. “Vmware”, VirtualPC and VirtualBox.

Checking the registry values for certain keys clearly reveals the VM presence.

19Registry Check

For Example:

HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port1\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier

VMware, VMware Virtual S1.0 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc

VMware SCSI Controller HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName

VMware, Inc.

20Process and File

Check Check - VM specific processes and files

presence

Eg. VBoxService.exe : In VirtualBox for

synchronization with host

drivers like “vboxhook.dll” and “vpcbus” driver present in %SYSDIR%/drivers

21Memory Check

This involves looking for values of critical operating system data structures.

These data structures are relocated on a virtual machine so that they do not conflict with the host system's copies.

Store Interrupt Descriptor Table (SIDT), Store Local Descriptor Table( SLDT), Store Global Descriptor Table (SGDT), Store Task Register (STR), Store Machine Status Word (SMSW)

Redpill.exe, ScoopyNG.exe use this method.

22Timing Analysis

Obvious yet rare attack. Involves looking at a local Time Stamp Counter

(TSC) value. By noting down the time difference VM

presence is detected.

23VM Communication

Channel Check This check involves detecting the presence of a

host-guest communication channel. IN instruction and a magic number ‘VMXh’ VmDetect.exe uses this check. Not applicable to VirtualPC and VirtualBox. Runs in VMware without exception.

24Invalid Opcode Check

Specific to VirtualPC

Uses certain opcodes for guest host communication

In host system raise exception and no exception in VirtualPC.

25

Vmware Detection hardware details

motherboard serial number, graphics card and network adapter captions

Windows Management Instrumentation (WMI) contains classes hardware, display, registry etc.

Check for VM specific strings

HARDWARE FINGERPRINTING

26Registry Check

Windows Registry stores configuration settings low-level operating system components Applications running

Check for Strings like “VirtualPC”, “VBOX”, “VirtualBox” value that is specific to the corresponding virtual

machine being testing on.

27Process and File Check

Check - VM specific processes and files presence

Eg. VBoxService.exe : In VirtualBox for

synchronization with host

drivers like “vboxhook.dll” and “vpcbus” driver present in %SYSDIR%/drivers

28Memory Check

involves looking at the values of specific memory locations

STR (Store Task Register) stores the selector segment of the TR register

(Task Register) in the specified operand (memory or other general purpose register).

Value specific in Virtual Machine

29Invalid Opcode Check

Specific to VirtualPC

Uses certain opcodes for guest host communication

In host system raise exception.

30Detection of VM

running Linux Techniques: (tested on Vmware)

Hardware Fingerprinting

Dmesg check - prints the message buffer of the kernel

/proc file system check - interface to internal data structures in the kernel.

Communication channel check

31Dmesg and /proc file

system check Dmesg - prints the message buffer of the kernel

Shows diagnostic message showing presence of hardware during boot contain strings like “VMware”,

/proc file system - an interface to internal data structures in the kernel Contains system dependent information

32Communication

Channel Check IN instruction

Raises exception ““EXCEPTION PRIV INSTRUCTION” in host

Runs in VMware without exception initiates guest to host communication by

calling the “IN” instruction.

33VMwareDetect

Is the proof of concept tool. It employs the various VM detection techniques

to detect the presence of VMware virtual machine. Memory Check VM Communication Channel Check Hardware Fingerprinting Registry Check Timing Analysis

34

VMwareDetect

35

VirtualMachineDetect - VirtualPC Check using all the methods

In VirtualPC In Native Machine Hardware Fingerprinting BIOS American Megatrenda L900781

Graphics Card Virtual PC Integration Components S3 Trio32/64

NVDIA GeForce 310

Baseboard Manufacturer Microsoft co-orporation LENOVO

System Name VIRTUALXP User-think USB Controller USB Virtualisation Bus Driver Intel® 5 Series /3400 …

Registry Check SCSI: HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0

Virtual HD Hitachi HDS721050CLA362

Control class for usb : SYSTEM\\ControlSet001\\Control\\Class\\{36FC9E60-C465-11CF-8056-444553540000}\\0000

USB Virtualisation Bus Driver Intel® 5 Series /3400 …

Control class for graphics: SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000

Virtual PC Integration Components S3 Trio32/64

NVDIA GeForce 310

Controlset for cd/dvd drive: SYSTEM\\CurrentControlSet\\Enum\\IDE

Disk Virtual_HD____1._1__ Registry not found

Invalid Opcode Did not raise exception Raised exception File Check Vpcubus Driver (Virtual USB Bus Driver) Present Not Present

Vpcgbus Driver (Virtual PC Guest Bus Driver) Present Not Present

Vpcuhub Driver (Virtual USB Hub Driver) Present Not Present

36

VirtualMachineDetect - VirtualBox Virtual Box running windows Host Windows Machine

Hardware Fingerprinting

BIOS 0 L900781

Graphics Card Virtual Box Graphics Adapter NVDIA GeForce 310

N/W adapter AMD PCNET Family PCI Ethernet Adapter WAN Miniport(SSTP) …

Processor Null CPU1

USB Controller Std Open HCD USB Host Controller Intel® 5 Series /3400 …

Registry Check

Dsdt: : HARDWARE\\ACPI\\DSDT VBOX__ Registry not present

Scsi P0 : HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus

0\\Target Id 0\\Logical Unit Id 0

VBOX HARDDISK Hitachi HDS721050CLA362

Scsi P1: HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\

Target Id 0\\Logical Unit Id 0

VBOX CD-ROM Null

Vedio Bios Version: HARDWARE\\DESCRIPTION\\System\

VideoBiosVersion

Oracle VM VirtualBox Version 4.1.2 VGA Bios Version 70.18.3E.00.05

System Bios Version: HARDWARE\\DESCRIPTION\\System\

SystemBiosVersion

VBOX-1 LENOVO-133

Instruction Check

STR (store task register) 28 0 40 00

File Check

VBOXHook.exe Present Not Present

VBOXTray Present Not Present

VBOXService.exe Present Not Present

37

Virtual Machine Detect

In VB

38Remote Detection

Scenario There is access to the terminal of a system

need not be administrator access

WMIC ( Windows management instrumentation command line) is used

39Masking Detection of

VM Using PIN API provided by Pin tool.

Can get all the instructions, the arguments and return value

Steps followed for masking Get each call made by binary. Check if matches a predefined list of calls. E.g.

RegEnumValueA Str LoadLibraryA __emit

40Masking Detection of

VM Provide false values if

VM specific values are read (matched from predefined list)

Eg. Registry read returns the value “VBOX” Pin Tool gets the return value and modifies it

in runtime. Registry read function returns modified value

41Masking Detection of

VM Binary does not detect – manipulated value

received.

This currently supports 64 and 32 bit OS 64 and 32 bit applications

42

Masking Detection of VMLoad Binary Detect if the binary

is 64 or 32 bit.Display the detection and give option to user to change it.

Detect the OS as 64/32 bit.

Detect the Underlying VM

Virtual PC VirtualBox

Register Check maskingInvalid Opcode Check Masking

File Check Masking

File Check Masking

Register Check Masking

Instruction Check Masking

Feedback

Save to db for further analysis

Execution of loaded binary completed

43Our Approach

44Our Approach

STEP 1: Maintain a list of all the hardware as well as registry querying API calls. Also maintain a list of all the VM specific instructions such as SIDT, SLDT, SGDT, STR, IN.

45Our Approach

Following is a partial list of API calls to be monitored. Hardware Querying APIs

SetupDiEnumDeviceInfo SetupDiGetDeviceInstanceId SetupDiGetDeviceRegistryProperty

Registry Querying APIs RegEnumKey RegEnumValue RegOpenKey RegQueryInfoKeyValue RegQueryMultipleValues RegQueryValue

46Our Approach

Step 2:Perform dynamic binary instrumentation of the sample under test in order to obtain its low level information as well as to intercept all the API calls made by it.

We hook into the sample under test by means of .dll injection.

This is achieved using the pin framework.

47Our Approach

Step3:Check to see if the sample under test makes a call or executes any of the monitored API calls or instructions respectively. If a match is found, set the OUTPUT to “Split Personality Malware Detected”. Also, log the activity and provide fake values to the sample so as to make it feel that it is running on a host system.

48Implementation

Designed, implemented and tested VMDetectGuard.

Implemented in the framework provided by the Pin tool released by Intel Corporation.

Pin is a tool for the instrumentation of programs.

We made use of its framework to intercept the various API calls and low level instructions executed by the sample under test.

49

COUNTERING HARDWARE FINGERPRINTING

Hardware emulation. APIs that query for BIOS, Motherboard, Processor,

Network Adapter. Ex. VM returns a value “none” for motherboard serial

number. VMDetectGuard returns a more appropriate string such as “.16LV3BS.CN70166983G1XF” instead.

50Countering Registry

Check VMDetectGuard monitors registry querying APIs such as the following: RegEnumKey RegEnumValue RegOpenKey RegQueryInfoKeyValue RegQueryMultipleValues RegQueryValue

If the output contains the string "VMware", our tool replaces this string with a more appropriate value that would have been returned on a non virtual system.

51

COUNTERING MEMORY CHECK

SIDT, SLDT, and SGDT and STR instructions are monitored.

The values of the target registers are then changed appropriately with the values that would have been obtained on a host OS.

52COUNTERING MEMORY

CHECK

53

COUNTERING VM COMMUNICATION CHANNEL CHECK

Monitor execution of the IN instruction. We change the value of the magic number . This leads to generation of “EXCEPTION PRIV

INSTRUCTION” exception.

54

COUNTERING TIMING ANALYSIS

Instructions such as CPUID and RDTSC (Read Time Stamp Counter) are monitored.

The tool maintains a log of each type of instruction executed.

If the threshold value for a particular type of instruction is exceeded, it logs this activity too.

Sample is tricked by deleting the CPUID instruction and modifying the values of ebx, ecx, and edx.

55VMDetectGuard

VMDetectGuard is our solution tool to counter Split Personality Malware.

VMDetectGuard runs in two different modes. VM Guard Mode Non VM Guard Mode

56VMDetectGuard

Output Generated by VMDetectGuard Result: Split Personality malware detected/not

detected. VM Specific Log Instruction Trace System Call Trace Registry Trace Opcode Mix Instruction Count Diff Tool Feature

57VMDetectGuard

58

Results & Analysis

59Redpill

Red Pill is a very well known VM detection tool by Rutkowska J.

Runs a single machine language instruction SIDT and analyses its result.

60

61

ScoopyNG

ScoopyNG is a very well known tool for VM detection developed by Klein T.

More reliable tool for VM detection in comparison to Red Pill.

It performs the following checks SIDT check SLDT check SGDT check STR check IN check (VMware communication channel)

62

63VmDetect

This is another well known proof of concept VM detecting sample that makes use of the VMware communication channel to detect VMware Presence.

64

65Backdoor.Win32.SdBot

.fmn Captured this malware from the

internet. Employs Memory check and Timing

Analysis mechanisms . In the absence of VMDetectGuard:

“This application cannot run under a Virtual Machine.”

In the presence of VMDetectGuard, it behaved malicious.

66

67

68VMDetectGuard

Running VMDetect in VirtualPCRunning VMDetect under masking tool

69VMDetectGuard

Running DetectionChecks in VirtualBox

Running DetectionChecks under masking tool

70Optimization

Before (sec) After (sec) % decrease in time taken

VirtualBox 167.310 112.411 32.08%

VirtualPC 294.786 205.953 30.13%

VMware 418.642 299.158 28.54%

Running Firefox binary under masking tool, in all the three virtual machines.

71

Results

Tested VMDetectGuard Malwares captured from internet Proof of concept tools

The results obtained after testing is given in table.

72

ResultsBinary Detection Technique Used Run without tool Run under tool

Virtual BoxVBDetect: calls others binaries for individual checks within.

Registry Check File and Process Check Instruction Check

Detected VirtualBox Did not detect VirtualBox

Rebhip File and Process Check Runs benignly Runs maliciously

VirtualPCVPCDetect: calls others binaries for individual checks within.

Registry Check File and Process Check Invalid Opcode Check

Detected VirtualPC Did not detect VirtualPC

Backdoor.Win32.SdBot.fmn File and Process Check Invalid Opcode Check

Displays a message, “This application cannot run under a Virtual Machine

Ran maliciously

VMDetect Invalid Opcode Check Detects VirtualPC Does not detect VirtualPC

Trojen.Karsh-252 Invalid Opcode Check Displays a message, “This application cannot run under a Virtual Machine

Ran Maliciously

73Conclusion

Split Personality malware is on a gradual rise.

Lack of academic research in this field.There does not exist any full-fledged

tool to counter Split Personality Malware.

We have designed, implemented and tested VMwareDetect, a proof of concept tool that detects the presence of Vmware.

74Conclusion

We also successfully designed and implemented VMDetectGuard, a tool to counter Split Personality malware.

It detects as well as tricks the split personality binaries.

Leads to the effective analysis of malware in the virtualized environment.

Increases productivity.