Anti-Virtual Machine and Anti-Sandbox in Malware

With the development of APT confrontation technology, people often use virtualization technology to detect the unknown malware when analyzing. Some security vendors in RSA Conference also use this technology to analyze anti-APT; what’s more, the traditional antivirus vendors and Botnet Tracking Team make use of virtual machines to realize massive analysis and get massive sample running information. The virtual software that vendors use include VMware, VirtualBox, KVM and so on, these virtual machines can simulate multiple virtual computers on a single physical computer, working as the real computers completely. To avoid these virtual machines and virus analysis sandbox, attackers will add codes of detecting virtual machines and sandbox in malicious programs in order to determine the running environment. When finding that programs are in the virtual machine sandbox, it will change the operation behaviors to hide the malicious actions and avoid from detection.

Virtual machine identifications include the ones of system registry, file system and process. The registry of virtual machine will record the relevant key values of virtual machine information, if there are relevant files or archives that relate with virtual machines in the file system, some special processes will run. Such process names can be used as basis for identifying virtual machine detection, for example, determining whether the drive files hgfs.sys, prleth.sys and vmhgfs.sys exist in the directory %System32\drivers\, of which the drive file hgfs.sys belongs to VMware Tools.

Figure 1 Relevant Process Names of Virtual Machine

Making use of I/O virtualization to identify virtual machine

VMM realizes the multiplexing of limited peripheral resources by I/O virtualization; it will block the access request on I/O equipment from Guest OS and then imitate the real hardware by software. There is information on virtual machines’ interfaces, such as interface type, serial number, product ID and so on; we can also detect the existence of virtual machine by getting this kind of information. The most common method to identify VMware is to use special orders IN to get version information.

Figure 2 VMware Identification

x86 ISA Identification

More than ten orders are not privilege ones in x86 ISA, so x86 cannot use traditional virtualization technique to realize the complete virtualization. For example, orders like sgdt/sidt/sldt can read the value of privilege register GDTR/IDTR/LDTR; the execution results of orders like popf/pushf are different between Ring0 and Ring3; there are other orders, such as smsw, lar, lsl, verr, verw, pop, push, call, jmp, int n, ret, str, move and so on. These orders cannot run on VM directly, which must be realized by VMM. The orders realized on virtual machines and physical hosts are different, we can detect virtual machines according to these differences.

We can get a further movement on sandbox detection if we focus on malware analysis. The objects that malware uses to detect sandbox include operation system username, self-sample path, operation system ID in registry, process name, windows name and so on, such as HKLM\Microsoft\Windows\CurrentVersion. The following is the product ID key value:

55274-640-2673064-23950 (JoeBox)
76487-644-3177037-23510 (CWSandbox)
76487-337-8429955-22614 (Anubis)

We selected one day’s 31403 samples for statistic:

Table 1 Malware statistic data with virtual machine or sandbox identification behaviors

The malware samples with virtual machine identification behavior occupy 7.08%, of which the identification on Vmware accounts for a great part.

Table 2 Virtual machine type detected by malware

Samples with sandbox identification behavior account for 0.3% of the statistical samples, which means that current malware has increasing detections on sandbox gradually.

Figure 3 Type of Sandbox Detection

Malware on identification sandbox can seldom identify virtual machines, so this kind of malware can also run on the virtual machines.