HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 36 guests and 2 members online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Malwarearrow Looking for Malware that react with Virtual Machines
EH-Net
May 23, 2013, 03:16:40 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Looking for Malware that react with Virtual Machines  (Read 7937 times)
0 Members and 1 Guest are viewing this topic.
atlas01
Newbie
*
Offline Offline

Posts: 3


View Profile
« on: June 19, 2008, 10:27:36 PM »
I'm doing research on the way that malware and VM interact with each other, especially VM aware malware. I having a difficult time looking for examples of malware. I found this page http://securitylabs.websense.com/content/Blogs/2688.aspx but the example sum doesn't appear on offensivecomputing.net.

Any example or pointers that anyone has would be great. Thanks.
Logged
shakuni
Jr. Member
**
Offline Offline

Posts: 80


View Profile
« Reply #1 on: June 20, 2008, 12:37:05 AM »
Looking at that link I assume that what you are asking is malware that uses anti VM tricks. Am I right ? If yes, then redpill etc are what you are looking for, start at the following links and ask me if you have any problems.

handlers.sans.org/tliston/ ThwartingVMDetection_Liston_Skoudis.pdf
http://invisiblethings.org/papers/redpill.html
http://www.openrce.org/forums/posts/814
http://www.pelock.com/blog/2007/04/15/vmware-detection-anti-debugging-trick-against-trw/
http://eeyeresearch.typepad.com/blog/2006/09/another_vmware_.html

May be I will release my paper on these concepts soon.
« Last Edit: June 20, 2008, 12:39:28 AM by shakuni » Logged
There is no rule, law or tradition that apply universally... including this one.
atlas01
Newbie
*
Offline Offline

Posts: 3


View Profile
« Reply #2 on: June 20, 2008, 07:53:40 PM »
Here are the current urls I've come across including the ones you provided. These are providing me with the fundemental understanding that I need but I would like to perform so real world tests.

http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Zovi.pdf
http://www.offensivecomputing.net/?q=node/205
http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1247329,00.html
http://recon.cx/2008/speakers.html#polymorph
http://www.offensivecomputing.net/files/active/0/vm.pdf
http://www.openrce.org/forums/posts/814
http://taviso.decsystem.org/virtsec.pdf
http://www.cs.cmu.edu/~jfrankli/hotos07/vmm_detection_hotos07.pdf
http://isc.sans.org/diary.html?storyid=1871&isc=c188674c1b170b29bb1345a6ef5d1417
http://www.techworld.com/security/news/index.cfm?newsid=9653
http://vil.nai.com/vil/content/v_139328.htm
http://securitylabs.websense.com/content/Blogs/2688.aspx
http://www.stanford.edu/~talg/papers/HOTOS07/vmm-detection-hotos07.pdf
http://www.eecs.umich.edu/virtual/papers/king06.pdf
http://eeyeresearch.typepad.com/blog/2006/09/another_vmware_.html
http://www.linklogger.com/vm_capture.htm
http://labs.neohapsis.com/
http://www.pelock.com/blog/2007/04/15/vmware-detection-anti-debugging-trick-against-trw/
http://vil.nai.com/vil/content/v_134117.htm
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Butler.pdf
http://www.cs.nps.navy.mil/people/faculty/irvine/publications/2000/VMM-usenix00-0611.pdf
http://www.offensivecomputing.net/dc14/furthur_down_the_vm_spiral.pdf
http://www.matasano.com/log/955/you-can-detect-hypervisor-rootkits-even-if-youre-virtualized/
http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

I'm still having trouble finding a repository of rootkits/malware/etc... to actually test on XP,Vista VM's or bare metal machines. I know they are out there but it seems there has got to be a better way then searching for VM aware malware, find a check sum and then hoping Offensive Computing has it?
Logged
shakuni
Jr. Member
**
Offline Offline

Posts: 80


View Profile
« Reply #3 on: June 21, 2008, 12:57:36 AM »
So basically you are asking for source codes of malware that uses Anti VM tricks. I don't know wheather it is allowed to discuss theses things on the forums. So wait until don allows us to share these things. Or read a bit about google hacking. There are thousands of repositaries of malware sources out there.

Until then I suggest you to write simple "hello world" viruses and then use Anti VM tricks in them (from the links that I gave you) to test wheather the tricks works on the desired platform or VM.

-shakuni
Logged
There is no rule, law or tradition that apply universally... including this one.
atlas01
Newbie
*
Offline Offline

Posts: 3


View Profile
« Reply #4 on: June 23, 2008, 01:47:46 PM »
Great idea, I'll give that a try, thank you for your time.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.08 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.