Emulate virtual machines To avoid malware infections



Similar documents
A COMPARISON BETWEEN "ORACLE VM VIRTUALBOX" AND "VMWARE PLAYER" FROM A "LINUX" PERSPECTIVE

Block Level Backups with EMC NetWorker

Hypervisor Software and Virtual Machines. Professor Howard Burpee SMCC Computer Technology Dept.

Creating a Linux Virtual Machine using Virtual Box

Intelligent Video Analytics. Server Installation Guide. - Windows - Linux

Creating a Windows XP Virtual Machine using Virtual Box

Enterprise Cloud VM Image Import User Guide. Version 1.0

In addition to their professional experience, students who attend this training should have technical knowledge in the following areas.

Virtual Machines. Virtual Machines

Using Keil software with Linux via VirtualBox

Installing Windows On A Macintosh Or Linux Using A Virtual Machine

Installing Sun's VirtualBox on Windows XP and setting up an Ubuntu VM

VIRTUAL NETWORKING WITH "WINDOWS VIRTUAL PC"

Module I-7410 Advanced Linux FS-11 Part1: Virtualization with KVM

IBM Tivoli Composite Application Manager for Microsoft Applications: Microsoft Hyper-V Server Agent Version Fix Pack 2.

Installing & Using KVM with Virtual Machine Manager COSC 495

Recommended Solutions for Installing Symantec Endpoint Protection 12.1.x in Shared and PvD Virtual Machines

Virtualization and Other Tricks.

VMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED.

AFACT Cloud Computing Working Group. Chia Hung Kao Institute for Information Industry

NAS 249 Virtual Machine Configuration with VirtualBox

These instructions were tested on OS X Earlier or later versions may have slight or major differences in how things work and appear.

FROM A "WINDOWS" PERSPECTIVE

How to Install Multiple Monitoring Agents on a Microsoft Operating System. Version StoneGate Firewall/VPN 2.6 and SMC 3.2

IOS110. Virtualization 5/27/2014 1

Retrospect 7.7 User s Guide Addendum

Virtualised MikroTik

How to use the VMware Workstation / Player to create an ISaGRAF (Ver. 3.55) development environment?

Running Windows 8 on top of Android with KVM. 21 October Zhi Wang, Jun Nakajima, Jack Ren

Virtual Hosting & Virtual Machines

EXPLORING LINUX KERNEL: THE EASY WAY!

Monitor and Secure Linux System with Open Source Tripwire

Onboarding VMs to Cisco OpenStack Private Cloud

AKIPS Network Monitor Installation, Configuration & Upgrade Guide Version 16. AKIPS Pty Ltd

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

Developing Microsoft Azure Solutions

Developing Microsoft Azure Solutions 20532A; 5 days

Converting Linux and Windows Physical and Virtual Machines to Oracle VM Virtual Machines. An Oracle Technical White Paper December 2008

Guest Operating System. Installation Guide

Accessing RCS IBM Console in Windows Using Linux Virtual Machine

Installation of Winisis on Windows 8 (64 bits) using Oracle Virtual Box Ernesto Spinak 15/07/2013

Professional Xen Visualization

Machine Edition USB Hardware License Key did not get recognize inside Virtual Machine

Advanced Server Virtualization: Vmware and Microsoft Platforms in the Virtual Data Center

Using VMware Workstation

CopyKittens Attack Group

Virtualization. Types of Interfaces

Building a Penetration Testing Virtual Computer Laboratory

[VADP OVERVIEW FOR NETBACKUP]

ClearPass Policy Manager 6.3

Comparing Free Virtualization Products

How to Install Windows on Xen TM 3.0

Course 20532B: Developing Microsoft Azure Solutions

JobScheduler Installation by Copying

The Tor VM Project. Installing the Build Environment & Building Tor VM. Copyright The Tor Project, Inc. Authors: Martin Peck and Kyle Williams

A Comparison of VMware and {Virtual Server}

INSTALLATION GUIDE El Jefe 2.1 Document version: June 2014

WINDOWS LOGGING CHEAT SHEET - Win 7/Win 2008 or later

Introduction to Virtualization

Course Outline: Course 6331: Deploying and Managing Microsoft System Center Virtual Machine Manager Learning Method: Instructor-led Classroom Learning

Before we can talk about virtualization security, we need to delineate the differences between the

APPLICATION NOTE. How to build pylon applications for ARM

Operating Systems Virtualization mechanisms

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader

Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Q&A. DEMO Version

Download Virtualization Software Download a Linux-based OS Creating a Virtual Machine using VirtualBox: VM name

How To Protect Your Data From Being Damaged On Vsphere Vdp Vdpa Vdpo Vdprod (Vmware) Vsphera Vdpower Vdpl (Vmos) Vdper (Vmom

HP Operations Orchestration Software

How to troubleshoot MS DTC firewall issues

Intelligent Laptop Virtualization No compromises for IT or end users. VMware Mirage

CIT 668: System Architecture

SOFTWARE INSTALLATION INSTRUCTIONS

ArCycle vmbackup. for VMware/Hyper-V. User Guide

Deploying Red Hat Enterprise Virtualization On Tintri VMstore Systems Best Practices Guide

Virtual Machines.

The safer, easier way to help you pass any IT exams. Exam : TS: Windows Server 2008 R2, Server Virtualization. Title : Version : Demo 1 / 7

Skip the But it Works on My Machine Excuse with Vagrant

Course 6331A: Deploying and Managing Microsoft System Center Virtual Machine Manager

How to Backup and Restore a VM using Veeam

Table of Contents Introduction and System Requirements 9 Installing VMware Server 35

Date: December 2009 Version: 1.0. How Does Xen Work?

The Art of Virtualization with Free Software

RUNNING vtvax FOR WINDOWS

Introduction to KVM. By Sheng-wei Lee #

Application Note. Example of user log on Magelis HMI with XB5S5B2L2 biometric switch. Advanced Technical Support - Brazil. Version: 1.

Quick Deployment Step-by-step instructions to deploy Oracle Big Data Lite Virtual Machine

Running vtserver in a Virtual Machine Environment. Technical Note by AVTware

Linux Development Environment Description Based on VirtualBox Structure

SECTION 3 - INSTALLATION

Installing Ubuntu. Obtaining files required

Capability VMware Hyper-V

Eaton NetWatch NetWatch installation and configuration guide VMware ESX 3 Virtual architecture

COMBOGARDPRO. 39E Electronic Combination Lock SOFTWARE INSTALLATION INSTRUCTIONS

Software SIParator / Firewall

Windows Azure and private cloud

Backup and Recovery for Microsoft Hyper-V Using Best Practices Planning. Brien M. Posey

Analysis of Virtualization Tools and Techniques

MODULE 3 VIRTUALIZED DATA CENTER COMPUTE

vsphere Replication for Disaster Recovery to Cloud

Transcription:

Emulate virtual machines To avoid malware infections Jordi Vázquez Aira Institut Obert of Catalonia (Barcelona, Spain) PAGE 1

Introduction The premise & Purposes The premise: If malware tries to avoid Virtual machines Why not try to emulate these environments? Purposes! Study the characteristics of VirtualBox! Specific drivers! Registry keys! VirtualBox Guest Additions Files! Know how the malware detects a virtual machine environment! Try to replicate these configurations on a physical computer PAGE 2

How does malware detect Virtual Machine? - Differences between Virtual machines and physical computers - Examples PAGE 3

Differences between VMs and physical computers Specific files with VirtualBox Guest Additions System32 VBoxDisp.dll VBoxHook.dll VBoxMRXNP.dll VBoxOGLarrayspu.dll VBoxOGLcrutil.dll VBoxOGLerrorspu.dll VBoxOGLfeedbackspu.dll VBoxOGLpackspu.dll VBoxoglpassthroughspu.dll VBoxTray.exe VBoxService.exe VBoxControl.exe Guest Additions folder VBoxDisp.dll VBoxDrvInst.exe VBoxVideo.inf VBoxVideo.sys VBoxControl.exe VBoxGuest.sys VBoxGuest.inf VBoxMouse.sys VBoxMouse.inf VBoxTray.exe VBoxWHQLFake.exe DIFxAPI.dll System32\Drivers VBoxMouse.sys VBoxGuest.sys VBoxSF.sys VBoxVideo.sys PAGE 4

Differences between VMs and physical computers Specific files with VirtualBox Guest Additions DRVSTORE\VBoxGuest_ED40339D 75DAC80DECCD6CCCDB8E202724F5321D VBoxControl.exe VBoxGuest.cat VBoxGuest.inf VBoxGuest.sys VBoxTray.exe DRVSTORE\VBOXVideo_5C9060E4 72F2B1E3E9D5353B27AF6B8DABF99D47 VBoxDisp.dll VBoxVideo.inf VBoxVideo.sys VBoxVideo.cat PAGE 5

Differences between VMs and physical computers Specific registry keys Folder Key Type Value HKLM\Software\Oracle\VirtualBox Guest Additions HKLM\Hardware\DEVICEMAP\Scsi\Scsi Port 0\ScSi Bus 0\Target Id 0\Logical Unit Id 0 HKLM\Hardware\DEVICEMAP\Scsi\Scsi Port 0\ScSi Bus 0\Target Id 1\Logical Unit Id 0 InstallDir REG_SZ Guest Additions folder Revision REG_SZ Revision number Version REG_SZ Version number VersionExt REG_SZ Version number Identifier REG_SZ VBOX HARDDISK Identifier REG_SZ VBOX CD-ROM HKLM\Hardware\DESCRIPTION\System SystemBiosVersion REG_MULTI_SZ VBOX -1 HKLM\Hardware\Acpi\DSDT\VBOX \VBOXBIOS\00000002 VideoBiosVersion REG_MULTI_SZ Oracle VM VirtualBox Version (version number) 00000000 REG_BINARY DSDT...VBOX VBOXBIOS...INTL PAGE 6

Differences between VMs and physical computers Specific registry keys Folder Key Type Value HKLM\System\CurrentControlSet\Services \Disk\Enum HKLM\System\CurrentControlSet\Services \VBoxGuest HKLM\System\CurrentControlSet\Services \VBoxGuest\Enum HKLM\System\CurrentControlSet\Services \VBoxMouse 0 REG_SZ IDE \DiskVBOX_HARDDISK 1.0 \42566264366366323661362d3 265623939632031 DisplayName REG_SZ VirtualBox Guest Driver ImagePath REG_EXPAND_SZ system32\drivers \VBoxGuest.sys 0 REG_SZ PCI \VEN_80EE&DEV_CAFE&SUBS YS_00000000&REV_00\3&267a 616a&0&20 DisplayName REG_SZ VirtualBox Guest Mouse Service ImagePath REG_EXPAND_SZ system32\drivers \VBoxMouse.sys *These HKLM\System\CurrentControlSet\Services keys are in ControlSet001, ControlSet002 and CurrentControlSet 0 folders REG_SZ ACPI \VBoxMouse\Enum \PNP0F03\4&1d401fb5&0 PAGE 7

Differences between VMs and physical computers Specific registry keys Folder Key Type Value HKLM\System\CurrentControlSet\Enum\Ide \DiskVBOX_HARDDISK\4256636463663 HKLM\System\CurrentControlSet\Enum\Ide \DiskVBOX_HARDDISK\9257936463871 HKLM\System\CurrentControlSet\Services \VBoxService FriendlyName REG_SZ VBOX HARDDISK FriendlyName REG_SZ VBOX CD-ROM DisplayName REG_SZ VirtualBox Guest Aditions Service ImagePath REG_EXPAND_SZ system32\vboxservice.exe Description REG_SZ Manages VM runtime information and utilities for guest operating systems. ObjectName REG_SZ LocalSystem HKLM\System\CurrentControlSet\Services \VBoxService\Enum HKLM\System\CurrentControlSet\Services \VBoxSF 0 REG_SZ Root \LEGACY_VBOXSERVICE \0000 DisplayName REG_SZ VirtualBox Shared Folders *These keys are in ControlSet001, ControlSet002 and CurrentControlSet folders PAGE 8 ImagePath REG_EXPAND_SZ system32\drivers \VBoxSF.sys

Differences between VMs and physical computers Specific registry keys Folder Key Type Value HKLM\System\CurrentControlSet \Services\VBoxSF\Enum HKLM\System\CurrentControlSet \Services\VBoxSF \NetworkProvider HKLM\System\CurrentControlSet \Services\VBoxVideo HKLM\System\CurrentControlSet \Services\VBoxVideo\Device0 HKLM\System\CurrentControlSet \Services\VBoxVideo\Enum 0 REG_SZ Root\LEGACY_VBOXSF \0000 DeviceName REG_SZ \Device\VboxMinRdr Name REG_SZ VirtualBox Shared Folder ProviderPath REG_SZ %Systemroot% \System32\VBoxMRXNP.dll ImagePath REG_EXPAND_SZ system32\drivers \VBoxVideo.sys InstalledDisplayDrivers REG_MULTI_SZ VBoxDisp 0 REG_SZ PCI \VEN_80EE&DEV_BEEF&SUBS YS_00000000&REV_00\3&267a 616a&0&10 HKLM\System\CurrentControlSet Service REG_SZ Vbox Video *These \Services\VBoxVideo\Video keys are in ControlSet001, ControlSet002 and CurrentControlSet folders PAGE 9

Examples Trojan-spy.win32.Carberp Source: github.com/hzeroo/carberp/blob/master/source - absource/pro/all%20source/blackjoewhitejoe/source/vmdetect.cpp PAGE 10

Examples Usual methods to detect VMs Source: http://pastebin.com/ru6a2uub PAGE 11

Virtual Machine emulation Code structure Sample code PAGE 12

Virtual Machine emulation Code structure Import python libraries Create and modify registry keys Set up environment variables Create files Download libraries Register libraries PAGE 13

Virtual Machine emulation Sample code Full code available in: https://vbox-emulator.googlecode.com PAGE 14

Experimental results Themida Pafish Malware PAGE 15

Experimental results Themida PAGE 16

Experimental results Pafish Before After PAGE 17

Experimental results Net-Worm.Win32.Kolab.vw à Before Script Anti-debugging: The System registry key value:[hklm\system\controlset001\services\disk\enum] "0" Contains the strings: Vmware, Vbox, Virtual or QEMU It copied to the system folder Tries to detect if it s in a VM VM not detected VM detected The Original file is not deleted The original file self-destructs PAGE 18

Experimental results Net-Worm.Win32.Kolab.vw à After Script Anti-debugging: The System registry key value:[hklm\system\controlset001\services\disk\enum] "0" Contains the strings: Vmware, Vbox, Virtual or QEMU It copied to the system folder Tries to detect if it s in a VM VM not detected VM detected The Original file is not deleted The original file self-destructs PAGE 19

Conclusions Main findings Future lines of research PAGE 20

Conclusions Main findings and future lines of research Main findings! We can successfully simulate a virtual machine with a simple python script.! Most malware checks are in the Windows registry or files.! This technique should never be used individually. Future lines of research! Continue investigating virtual machines.! Try the script with more malware samples.! Investigate possible side-effects in a real environment. PAGE 21

Thank You Jordi Vázquez Aira Institut Obert of Catalonia (Barcelona, Spain) PAGE 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information