emulate virtual machines to avoid malware infections - grrcon 2014
DESCRIPTION
A large amount of current malware uses various anti-virtual-machine techniques in order to avoid detection by analysis. These techniques allow the malware to detect the virtual machine which will then execute a benign action or simply do nothing. Many of these techniques are bases on finding specific files in the system or consulting some windows registry keys. The purpose of this research is to study the characteristics of the ORacle Virtual Box virtualized system and try to replicate the configuration on a physical computer, in order to trick malware into thinking it is in a virtual environment and thus not triggering its execution.TRANSCRIPT
Emulate VM environment to avoid malware infections
Jordi Vazquez
2 GrrCON Hacker Conference | 16-17 Oct, 2014Page |
3 GrrCON Hacker Conference | 16-17 Oct, 2014Page |
4 GrrCON Hacker Conference | 16-17 Oct, 2014Page |
5 GrrCON Hacker Conference | 16-17 Oct, 2014Page |
6 GrrCON Hacker Conference | 16-17 Oct, 2014Page |
7 GrrCON Hacker Conference | 16-17 Oct, 2014Page |
8 GrrCON Hacker Conference | 16-17 Oct, 2014Page |
9 GrrCON Hacker Conference | 16-17 Oct, 2014Page |
10
Who am I?
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
11
1. Introduction / Motivation
2. Previous concepts
3. Virtual machine Detection
4. How malware detects VMs
5. Virtual machine emulation
6. Experimental results
7. Conclusions
Agenda
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
12
1. Introduction
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
13
Introduction
Source: http://research.dissect.pe/docs/blackhat2012-presentation.pdf
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
14
Introduction
If malware tries to avoid Virtual machines… !
Why not try to emulate these environments to avoid infections?
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
15
Introduction
Study the characteristics of VirtualBox Specific drivers Registry keys Processes VirtualBox Guest Additions Files !
Know how the malware detects a virtual machine !Try to replicate these configurations on a physical computer
The purposes
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
16
2. Previous Concepts
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
17
Previous Concepts
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
What is Virtual Machine?
18
Previous Concepts
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
What is Cuckoo Sandbox?
Automated malware analysis tool Open Source ProjectWritten in PythonExtensibleReporting system (memory dumps, registry access, API calls, screenshots, network activity)
19
Previous Concepts
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
What is Cuckoo Sandbox? (How It works)
20
3. Virtual Machine Detection
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
21
Virtual Machine Detection
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
Why? !Malware researchers increasingly use virtual machine technology to analyze samples, since it offers many benefits: !
Multiple operating systems Ability to reset to a previous snapshot undoing changes made by malware Easily monitored Isolation
!
Typical methods to detect a VME !
1. Look for VME artifacts in processes, file system and registry2. Look for VME specific virtual hardware3. Look for VME specific processor capabilities
22
Virtual Machine Detection - VMWare
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
Artifacts in processes, system files and registry VMWare tools Some references in system files to “VMWare” Some references in the registry to “VMWare” Some drivers:
vmmouse.sys vmhgfs.sys
23 GrrCON Hacker Conference | 16-17 Oct, 2014Page |
Virtual Machine Detection - Virtual Box
24
VS
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
Virtual Machine Detection - Virtual Box
25
Specific files with VirtualBox Guest Additions
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
System 32 Guest Additions Folder System32\Drivers
• VBoxDisp.dll • VBoxHook.dll • VBoxMRXNP.dll • VBoxOGLarrayspu.dll • VBoxOGLerrorspu.dll • VBoxOGLcrutil.dll • VBoxOGLerrorspu.dll • VBoxOGLfeedbackspu.dll • VBoxOGLpackspu.dll • VBoxoglpassthroughspu.dll • VBoxTray.exe • VBoxService.exe • VBoxControl.exe
• VBoxDisp.dll • VBoxDrvInst.exe • VBoxVideo.inf • VBoxVideo.sys • VBoxControl.exe • VBoxGuest.sys • VBoxGuest.inf • VBoxMouse.sys • VBoxMouse.inf • VBoxTray.exe • VBoxWHQLFake.exe • DIFxAPI.dll
• VBoxMouse.sys • VBoxGuest.sys • VBoxSF.sys • VBoxVideo.sys
Virtual Machine Detection - Virtual Box
26
Specific files and processes with VirtualBox Guest Additions Installed
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
DRVSTORE\VBoxGuest_ED40339D75DAC80 DECCD6CCCDB8E202724F5321D
DRVSTORE\VBOXVideo_5C9060E4 72F2B1E3E9D5353B27AF6B8DABF99D47
Processes
• VBoxControl.exe • VBoxGuest.cat • VBoxGuest.inf • VBoxGuest.sys • VBoxTray.exe
• VBoxDisp.dll • VBoxVideo.inf • VBoxVideo.sys • VBoxVideo.cat
• VboxService.exe
Virtual Machine Detection - Virtual Box
27
Folder Key Type ValueHKLM\Software\Oracle\VirtualBox Guest Additions InstallDir REG_SZ Guest Additions folder
Revision REG_SZ Revision number
Version REG_SZ Version number
VersionExt REG_SZ Version number
HKLM\Hardware\DEVICEMAP\Scsi\Scsi Port 0\ScSi Bus 0\Target Id 0\Logical Unit Id 0
Identifier REG_SZ VBOX HARDDISK
HKLM\Hardware\DEVICEMAP\Scsi\Scsi Port 0\ScSi Bus 0\Target Id 1\Logical Unit Id 0
Identifier REG_SZ VBOX CD-ROM
HKLM\Hardware\DESCRIPTION\System SystemBiosVersion REG_MULTI_SZ VBOX -1
VideoBiosVersion REG_MULTI_SZ Oracle VM VirtualBox Version (version number)
HKLM\Hardware\Acpi\DSDT\VBOX__\VBOXBIOS\00000002
00000000 REG_BINARY DSDT......VBOX VBOXBIOS....INTL
Specific registry keys
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
Virtual Machine Detection - Virtual Box
28
Folder Key Type Value
HKLM\System\CurrentControlSet\Services\Disk\Enum 0 REG_SZ IDE\DiskVBOX_HARDDISK___________________________1.0_____\42566264366366323661362d3265623939632031
HKLM\System\CurrentControlSet\Services\VBoxGuest DisplayName REG_SZ VirtualBox Guest Driver
ImagePath REG_EXPAND_SZ system32\DRIVERS\VBoxGuest.sys
HKLM\System\CurrentControlSet\Services\VBoxGuest\Enum
0 REG_SZ PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00\3&267a616a&0&20
HKLM\System\CurrentControlSet\Services\VBoxMouse DisplayName REG_SZ VirtualBox Guest Mouse Service
ImagePath REG_EXPAND_SZ system32\DRIVERS\VBoxMouse.sys
HKLM\System\CurrentControlSet\Services\VBoxMouse\Enum
0 REG_SZ ACPI\PNP0F03\4&1d401fb5&0
Specific registry keys
*These keys are in ControlSet001, ControlSet002 and CurrentControlSet folders
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
Virtual Machine Detection - Virtual Box
29
Folder Key Type ValueHKLM\System\CurrentControlSet\Enum\Ide\DiskVBOX_HARDDISK\4256636463663
FriendlyName REG_SZ VBOX HARDDISK
HKLM\System\CurrentControlSet\Enum\Ide\DiskVBOX_HARDDISK\9257936463871
FriendlyName REG_SZ VBOX CD-ROM
HKLM\System\CurrentControlSet\Services\VBoxService
DisplayName REG_SZ VirtualBox Guest Aditions Service
ImagePath REG_EXPAND_SZ system32\VBoxService.exe
Description REG_SZ Manages VM runtime information and utilities for guest operating systems.
ObjectName REG_SZ LocalSystem
HKLM\System\CurrentControlSet\Services\VBoxService\Enum
0 REG_SZ Root\LEGACY_VBOXSERVICE\0000
HKLM\System\CurrentControlSet\Services\VBoxSF DisplayName REG_SZ VirtualBox Shared Folders
ImagePath REG_EXPAND_SZ system32\DRIVERS\VBoxSF.sys
Specific registry keys
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
Virtual Machine Detection - Virtual Box
30
Folder Key Type Value
HKLM\System\CurrentControlSet\Services\VBoxSF\Enum
0 REG_SZ Root\LEGACY_VBOXSF\0000
HKLM\System\CurrentControlSet\Services\VBoxSF\NetworkProvider
DeviceName REG_SZ \Device\VboxMinRdr
Name REG_SZ VirtualBox Shared Folder
ProviderPath REG_SZ %Systemroot%\System32\VBoxMRXNP.dll
HKLM\System\CurrentControlSet\Services\VBoxVideo
ImagePath REG_EXPAND_SZ system32\DRIVERS\VBoxVideo.sys
HKLM\System\CurrentControlSet\Services\VBoxVideo\Device0
InstalledDisplayDrivers REG_MULTI_SZ VBoxDisp
HKLM\System\CurrentControlSet\Services\VBoxVideo\Enum
0 REG_SZ PCI\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00\3&267a616a&0&10
HKLM\System\CurrentControlSet\Services\VBoxVideo\Video
Service REG_SZ Vbox Video
Specific registry keys
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
Virtual Machine Detection - Virtual Box
31
Specific registry keys
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
Virtual Machine Detection - Virtual Box
32
Example
Source: http://pastebin.com/RU6A2UuB
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
Virtual Machine Detection - Virtual Box
33
Example
Source: http://pastebin.com/RU6A2UuB
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
Virtual Machine Detection - Virtual Box
<Demo>
34
Themida
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
Virtual Machine Detection - Virtual Box
35
Themida
<Demo>
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
Virtual Machine Detection - Virtual Box
36
Pafish
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
Virtual Machine Detection - Virtual Box
Physical Machine
Virtual Machine
37
4. How malware detects Virtual Machines
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
38
How malware detects Virtual MachinesTrojan-spy.win32.Carberp
Source: http://github.com/hzeroo/Carberp/blob/master/source - absource/pro/all source/BlackJoeWhiteJoe/Source
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
39
How malware detects Virtual Machines Trojan-Dropper.Win32.Agent.dvyh
Technical Details about Net-Worm.Win32.Kolab.wwh: https://www.securelist.com/en/descriptions/17168948/Trojan-Dropper.Win32.Agent.dvyh
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
40
How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh
Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
41
How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh
Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
42
How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh
Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
43
5. Virtual Machine emulation
GrrCON Hacker Conference | 16-17 Oct, 2014Page |
44
Conclusions
Main findings It’s possible to simulate a virtual machine with a python script. We can avoid infections by unknown malware.
!!Future lines of research
Investigate more VM Solutions and Sandboxes. (VmWare, Sandboxie…) Try the script with more malware samples. Investigate possible side-effects in a real environment.
Main findings and future lines of research
GrrCON Hacker Conference | 16-17 Oct, 2014Page |