As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats can also detect monitoring tools used for malware analysis. Often such malware will not execute or change their behavior to appear harmless. Because some malware uses these tactics, planting fake virtual machine artefacts or fake analysis tools on a system could stop their malicious behavior. We have created a quick proof of concept (POC) to demonstrate this defensive tactic.
Some malware use a mutex or registry key to avoid re-infecting a machine. For example, a previous version of Locky used a registry key with the string “locky” to check if the machine was already infected. This variant also used a basic check to verify if the local language was Russian; if it was, the ransomware did not infect the machine. With this kind of information, security analysts can proactively configure these artefacts to boost protection against some malicious software.
The following diagram illustrates this concept:
Proof of concept functions
Sandboxes and virtual environments are full of artefacts that betray their analysis environment. Malware can protect itself against these by running some checks to detect such environments before performing any malicious actions. Our POC will reproduce a virtual environment on a normal user machine. It is available at https://github.com/fr0gger/RocProtect-V1.
Creating fake registry keys
A lot of registry keys are created by specific tools or by sandbox emulation. Using the Windows API RegCreateKeyEx we can create all the (fake) keys normally created by a virtual hypervisor.
The following list shows of few of the potential registry keys that malware can detect:
- HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\“Identifier”;“VMWARE”
- HKLM\SOFTWARE\VMware, Inc.\VMware Tools
- HKLM\HARDWARE\Description\System\ “SystemBiosVersion”;”VMWARE”
- HKLM\HARDWARE\Description\System\”SystemBiosVersion”;VBOX
- HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
- HKLM\HARDWARE\ACPI\DSDT\VBOX__
The following function explains in more detail the registry key creation process:
| RegCreateKeyEx( | |
| HKEY_LOCAL_MACHINE, // registry key | |
| RegValuePath[i], // subkey | |
| 0, // reserved and must be 0 | |
| NULL, // class type of the key | |
| REG_OPTION_NON_VOLATILE, // keep the key after reboot | |
| KEY_WRITE, // registry key security and access right | |
| NULL, // security attributes | |
| &hKey, // handle to the opened key | |
| NULL) // determine weither the key exists or not
|
Other API functions are used to set a value on a previously created key (RegOpenKeyEx, RegSetValueEx).
Creating fake processes
The hypervisor runs several processes in the virtual machine to perform actions and ensure compatibility with the host machine. For example, VirtualBox uses several processes on a machine that can be spotted by malware.
The following list shows processes created by VirtualBox:
- exe
- exe
- exe
The function CreateProcess can be used to load a fake process into memory:
|
Creating fake files
Malware can also try to detect the presence of any files related to virtual environments. A lot of driver or DLL files are created by the hypervisor.
The following list shows a short extract of potential virtual files:
- C:\\WINDOWS\system32\drivers\VBoxMouse.sys
- C:\\WINDOWS\system32\vboxhook.dll
- C:\\WINDOWS\system32\vboxdisp.dll
- C:\\Windows\system32\drivers\vmmouse.sys
- C:\\system32\drivers\vmhgfs.sys
The function CreateFile can be used to create fake files on the system:
|
Creating a fake MAC address
VirtualBox and VMware use default MAC addresses on virtual machines. The VirtualBox default address uses the first three bytes 08:00:27. The VMware default address uses the first three bytes 00:0C:29, 00:1C:14, 00:50:56, or 00:05:69. Malware can detect these MAC addresses by requesting the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000\NetworkAddress
Proof of Concept
We have tested some samples with “VM aware” capabilities with our tool. In each case the malware did not run and the machine was not infected.
The tool Pafish, an open-source project, uses similar tricks as malware to identify virtual environments. We used Pafish to observe the difference between a normal machine and a machine set up with our tool emulating a virtual machine.
The following screenshot shows the output of Pafish with few detections of a virtual environment:
After running our tool, we can clearly see the differences in detection.
On the left we see the output of RocProtect, our proof of concept, which created fake artefacts on the machine. On the right we see the output of Pafish that shows us the number of detections.
Malware is constantly becoming more advanced. Analysis and detection are become harder and very time consuming. This proof of concept introduces a different way to protect against malware infections by emulating a virtual environment. Of course, this tool cannot replace a real security application, but it can complement your defenses. Sometimes we need to try different tactics to fight malware.
The post Stopping Malware With a Fake Virtual Machine appeared first on McAfee Blogs.