emulate virtual machines to avoid malware infections - grrcon 2014

Emulate VM environment to avoid malware infections

Jordi Vazquez

2 GrrCON Hacker Conference | 16-17 Oct, 2014Page |

10

Who am I?

GrrCON Hacker Conference | 16-17 Oct, 2014Page |

11

1. Introduction / Motivation

2. Previous concepts

3. Virtual machine Detection

4. How malware detects VMs

5. Virtual machine emulation

6. Experimental results

7. Conclusions

Agenda


12

1. Introduction


13

Introduction

Source: http://research.dissect.pe/docs/blackhat2012-presentation.pdf


http://research.dissect.pe/docs/blackhat2012-presentation.pdf

14

Introduction

If malware tries to avoid Virtual machines… !

Why not try to emulate these environments to avoid infections?


15

Introduction

Study the characteristics of VirtualBox Specific drivers Registry keys Processes VirtualBox Guest Additions Files !

Know how the malware detects a virtual machine !Try to replicate these configurations on a physical computer

The purposes


16

2. Previous Concepts


17

Previous Concepts


What is Virtual Machine?

18

Previous Concepts


What is Cuckoo Sandbox?

Automated malware analysis tool Open Source ProjectWritten in PythonExtensibleReporting system (memory dumps, registry access, API calls, screenshots, network activity)

19

Previous Concepts


What is Cuckoo Sandbox? (How It works)

20

3. Virtual Machine Detection


21

Virtual Machine Detection


Why? !Malware researchers increasingly use virtual machine technology to analyze samples, since it offers many benefits: !

Multiple operating systems Ability to reset to a previous snapshot undoing changes made by malware Easily monitored Isolation

!

Typical methods to detect a VME !

1. Look for VME artifacts in processes, file system and registry2. Look for VME specific virtual hardware3. Look for VME specific processor capabilities

22

Virtual Machine Detection - VMWare


Artifacts in processes, system files and registry VMWare tools Some references in system files to “VMWare” Some references in the registry to “VMWare” Some drivers:

vmmouse.sys vmhgfs.sys


Virtual Machine Detection - Virtual Box

24

VS



25

Specific files with VirtualBox Guest Additions


System 32 Guest Additions Folder System32\Drivers

• VBoxDisp.dll • VBoxHook.dll • VBoxMRXNP.dll • VBoxOGLarrayspu.dll • VBoxOGLerrorspu.dll • VBoxOGLcrutil.dll • VBoxOGLerrorspu.dll • VBoxOGLfeedbackspu.dll • VBoxOGLpackspu.dll • VBoxoglpassthroughspu.dll • VBoxTray.exe • VBoxService.exe • VBoxControl.exe

• VBoxDisp.dll • VBoxDrvInst.exe • VBoxVideo.inf • VBoxVideo.sys • VBoxControl.exe • VBoxGuest.sys • VBoxGuest.inf • VBoxMouse.sys • VBoxMouse.inf • VBoxTray.exe • VBoxWHQLFake.exe • DIFxAPI.dll

• VBoxMouse.sys • VBoxGuest.sys • VBoxSF.sys • VBoxVideo.sys


26

Specific files and processes with VirtualBox Guest Additions Installed


DRVSTORE\VBoxGuest_ED40339D75DAC80 DECCD6CCCDB8E202724F5321D

DRVSTORE\VBOXVideo_5C9060E4 72F2B1E3E9D5353B27AF6B8DABF99D47

Processes

• VBoxControl.exe • VBoxGuest.cat • VBoxGuest.inf • VBoxGuest.sys • VBoxTray.exe

• VBoxDisp.dll • VBoxVideo.inf • VBoxVideo.sys • VBoxVideo.cat

• VboxService.exe


27

Folder Key Type ValueHKLM\Software\Oracle\VirtualBox Guest Additions InstallDir REG_SZ Guest Additions folder

Revision REG_SZ Revision number

Version REG_SZ Version number

VersionExt REG_SZ Version number

HKLM\Hardware\DEVICEMAP\Scsi\Scsi Port 0\ScSi Bus 0\Target Id 0\Logical Unit Id 0

Identifier REG_SZ VBOX HARDDISK

HKLM\Hardware\DEVICEMAP\Scsi\Scsi Port 0\ScSi Bus 0\Target Id 1\Logical Unit Id 0

Identifier REG_SZ VBOX CD-ROM

HKLM\Hardware\DESCRIPTION\System SystemBiosVersion REG_MULTI_SZ VBOX -1

VideoBiosVersion REG_MULTI_SZ Oracle VM VirtualBox Version (version number)

HKLM\Hardware\Acpi\DSDT\VBOX__\VBOXBIOS\00000002

00000000 REG_BINARY DSDT......VBOX VBOXBIOS....INTL

Specific registry keys



28

Folder Key Type Value

HKLM\System\CurrentControlSet\Services\Disk\Enum 0 REG_SZ IDE\DiskVBOX_HARDDISK___________________________1.0_____\42566264366366323661362d3265623939632031

HKLM\System\CurrentControlSet\Services\VBoxGuest DisplayName REG_SZ VirtualBox Guest Driver

ImagePath REG_EXPAND_SZ system32\DRIVERS\VBoxGuest.sys

HKLM\System\CurrentControlSet\Services\VBoxGuest\Enum

0 REG_SZ PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00\3&267a616a&0&20

HKLM\System\CurrentControlSet\Services\VBoxMouse DisplayName REG_SZ VirtualBox Guest Mouse Service

ImagePath REG_EXPAND_SZ system32\DRIVERS\VBoxMouse.sys

HKLM\System\CurrentControlSet\Services\VBoxMouse\Enum

0 REG_SZ ACPI\PNP0F03\4&1d401fb5&0


*These keys are in ControlSet001, ControlSet002 and CurrentControlSet folders



29

Folder Key Type ValueHKLM\System\CurrentControlSet\Enum\Ide\DiskVBOX_HARDDISK\4256636463663

FriendlyName REG_SZ VBOX HARDDISK

HKLM\System\CurrentControlSet\Enum\Ide\DiskVBOX_HARDDISK\9257936463871

FriendlyName REG_SZ VBOX CD-ROM

HKLM\System\CurrentControlSet\Services\VBoxService

DisplayName REG_SZ VirtualBox Guest Aditions Service

ImagePath REG_EXPAND_SZ system32\VBoxService.exe

Description REG_SZ Manages VM runtime information and utilities for guest operating systems.

ObjectName REG_SZ LocalSystem

HKLM\System\CurrentControlSet\Services\VBoxService\Enum

0 REG_SZ Root\LEGACY_VBOXSERVICE\0000

HKLM\System\CurrentControlSet\Services\VBoxSF DisplayName REG_SZ VirtualBox Shared Folders

ImagePath REG_EXPAND_SZ system32\DRIVERS\VBoxSF.sys




30

Folder Key Type Value

HKLM\System\CurrentControlSet\Services\VBoxSF\Enum

0 REG_SZ Root\LEGACY_VBOXSF\0000

HKLM\System\CurrentControlSet\Services\VBoxSF\NetworkProvider

DeviceName REG_SZ \Device\VboxMinRdr

Name REG_SZ VirtualBox Shared Folder

ProviderPath REG_SZ %Systemroot%\System32\VBoxMRXNP.dll

HKLM\System\CurrentControlSet\Services\VBoxVideo

ImagePath REG_EXPAND_SZ system32\DRIVERS\VBoxVideo.sys

HKLM\System\CurrentControlSet\Services\VBoxVideo\Device0

InstalledDisplayDrivers REG_MULTI_SZ VBoxDisp

HKLM\System\CurrentControlSet\Services\VBoxVideo\Enum

0 REG_SZ PCI\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00\3&267a616a&0&10

HKLM\System\CurrentControlSet\Services\VBoxVideo\Video

Service REG_SZ Vbox Video




31




32

Example

Source: http://pastebin.com/RU6A2UuB



http://pastebin.com/RU6A2UuB

33

Example

Source: http://pastebin.com/RU6A2UuB



<Demo>

http://pastebin.com/RU6A2UuB

34

Themida



35

Themida

<Demo>



36

Pafish



Physical Machine

Virtual Machine

37

4. How malware detects Virtual Machines


38

How malware detects Virtual MachinesTrojan-spy.win32.Carberp

Source: http://github.com/hzeroo/Carberp/blob/master/source - absource/pro/all source/BlackJoeWhiteJoe/Source


http://github.com/hzeroo/Carberp/blob/master/source%20-%20absource/pro/all%20source/BlackJoeWhiteJoe/Source

39

How malware detects Virtual Machines Trojan-Dropper.Win32.Agent.dvyh

Technical Details about Net-Worm.Win32.Kolab.wwh: https://www.securelist.com/en/descriptions/17168948/Trojan-Dropper.Win32.Agent.dvyh


https://www.securelist.com/en/descriptions/17168948/Trojan-Dropper.Win32.Agent.dvyh

40

How malware detects Virtual Machines Net-Worm.Win32.Kolab.wwh

Technical Details about Net-Worm.Win32.Kolab.wwh: http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh


http://www.securelist.com/en/descriptions/10113051/Net-Worm.Win32.Kolab.wwh

41





42





43

5. Virtual Machine emulation


44

Conclusions

Main findings It’s possible to simulate a virtual machine with a python script. We can avoid infections by unknown malware.

!!Future lines of research

Investigate more VM Solutions and Sandboxes. (VmWare, Sandboxie…) Try the script with more malware samples. Investigate possible side-effects in a real environment.

Main findings and future lines of research


Thank you!

!

[email protected] @jordisk

https://github.com/jordisk

mailto:[email protected]


!





Thank you!

!





emulate virtual machines to avoid malware infections - grrcon 2014

Technology

grrcon hacker conference

virtual machine technology

virtual machine detectionwhy

virtual machine detection4

virtual machine emulation6

virtual machines14

vme specific virtual

previous conceptswhat