Ethical Hacker Community Forums

I'm doing research on the way that malware and VM interact with each other, especially VM aware malware. I having a difficult time looking for examples of malware. I found this page http://securitylabs.websense.com/content/Blogs/2688.aspx but the example sum doesn't appear on offensivecomputing.net.

Any example or pointers that anyone has would be great. Thanks.

Looking at that link I assume that what you are asking is malware that uses anti VM tricks. Am I right ? If yes, then redpill etc are what you are looking for, start at the following links and ask me if you have any problems.

handlers.sans.org/tliston/ ThwartingVMDetection_Liston_Skoudis.pdf
http://invisiblethings.org/papers/redpill.html
http://www.openrce.org/forums/posts/814
http://www.pelock.com/blog/2007/04/15/vmware-detection-anti-debugging-trick-against-trw/
http://eeyeresearch.typepad.com/blog/2006/09/another_vmware_.html

May be I will release my paper on these concepts soon.

Here are the current urls I've come across including the ones you provided. These are providing me with the fundemental understanding that I need but I would like to perform so real world tests.

http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Zovi.pdf
http://www.offensivecomputing.net/?q=node/205
http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1247329,00.html
http://recon.cx/2008/speakers.html#polymorph
http://www.offensivecomputing.net/files/active/0/vm.pdf
http://www.openrce.org/forums/posts/814
http://taviso.decsystem.org/virtsec.pdf
http://www.cs.cmu.edu/~jfrankli/hotos07/vmm_detection_hotos07.pdf
http://isc.sans.org/diary.html?storyid=1871&isc=c188674c1b170b29bb1345a6ef5d1417
http://www.techworld.com/security/news/index.cfm?newsid=9653
http://vil.nai.com/vil/content/v_139328.htm
http://securitylabs.websense.com/content/Blogs/2688.aspx
http://www.stanford.edu/~talg/papers/HOTOS07/vmm-detection-hotos07.pdf
http://www.eecs.umich.edu/virtual/papers/king06.pdf
http://eeyeresearch.typepad.com/blog/2006/09/another_vmware_.html
http://www.linklogger.com/vm_capture.htm
http://labs.neohapsis.com/
http://www.pelock.com/blog/2007/04/15/vmware-detection-anti-debugging-trick-against-trw/
http://vil.nai.com/vil/content/v_134117.htm
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Butler.pdf
http://www.cs.nps.navy.mil/people/faculty/irvine/publications/2000/VMM-usenix00-0611.pdf
http://www.offensivecomputing.net/dc14/furthur_down_the_vm_spiral.pdf
http://www.matasano.com/log/955/you-can-detect-hypervisor-rootkits-even-if-youre-virtualized/
http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

I'm still having trouble finding a repository of rootkits/malware/etc... to actually test on XP,Vista VM's or bare metal machines. I know they are out there but it seems there has got to be a better way then searching for VM aware malware, find a check sum and then hoping Offensive Computing has it?

So basically you are asking for source codes of malware that uses Anti VM tricks. I don't know wheather it is allowed to discuss theses things on the forums. So wait until don allows us to share these things. Or read a bit about google hacking. There are thousands of repositaries of malware sources out there.

Until then I suggest you to write simple "hello world" viruses and then use Anti VM tricks in them (from the links that I gave you) to test wheather the tricks works on the desired platform or VM.

-shakuni

Great idea, I'll give that a try, thank you for your time.