The Ethical Hacker Network - Looking for Malware that react with Virtual Machines

rsreese

Newbie

Offline

Posts: 3

Looking for Malware that react with Virtual Machines

« on: June 19, 2008, 10:27:36 PM »

I'm doing research on the way that malware and VM interact with each other, especially VM aware malware. I having a difficult time looking for examples of malware. I found this page http://securitylabs.websense.com/content/Blogs/2688.aspx but the example sum doesn't appear on offensivecomputing.net.

Any example or pointers that anyone has would be great. Thanks.


	Logged

shakuni

Jr. Member

Offline

Posts: 62

Re: Looking for Malware that react with Virtual Machines

« Reply #1 on: June 20, 2008, 12:37:05 AM »

Looking at that link I assume that what you are asking is malware that uses anti VM tricks. Am I right ? If yes, then redpill etc are what you are looking for, start at the following links and ask me if you have any problems.

handlers.sans.org/tliston/ ThwartingVMDetection_Liston_Skoudis.pdf
http://invisiblethings.org/papers/redpill.html
http://www.openrce.org/forums/posts/814
http://www.pelock.com/blog/2007/04/15/vmware-detection-anti-debugging-trick-against-trw/
http://eeyeresearch.typepad.com/blog/2006/09/another_vmware_.html

May be I will release my paper on these concepts soon.


« Last Edit: June 20, 2008, 12:39:28 AM by shakuni »	Logged

There is no rule, law or tradition that apply universally... including this one.

rsreese

Newbie

Offline

Posts: 3

Re: Looking for Malware that react with Virtual Machines

« Reply #2 on: June 20, 2008, 07:53:40 PM »

Here are the current urls I've come across including the ones you provided. These are providing me with the fundemental understanding that I need but I would like to perform so real world tests.

http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Zovi.pdf
http://www.offensivecomputing.net/?q=node/205
http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1247329,00.html
http://recon.cx/2008/speakers.html#polymorph
http://www.offensivecomputing.net/files/active/0/vm.pdf
http://www.openrce.org/forums/posts/814
http://taviso.decsystem.org/virtsec.pdf
http://www.cs.cmu.edu/~jfrankli/hotos07/vmm_detection_hotos07.pdf
http://isc.sans.org/diary.html?storyid=1871&isc=c188674c1b170b29bb1345a6ef5d1417
http://www.techworld.com/security/news/index.cfm?newsid=9653
http://vil.nai.com/vil/content/v_139328.htm
http://securitylabs.websense.com/content/Blogs/2688.aspx
http://www.stanford.edu/~talg/papers/HOTOS07/vmm-detection-hotos07.pdf
http://www.eecs.umich.edu/virtual/papers/king06.pdf
http://eeyeresearch.typepad.com/blog/2006/09/another_vmware_.html
http://www.linklogger.com/vm_capture.htm
http://labs.neohapsis.com/
http://www.pelock.com/blog/2007/04/15/vmware-detection-anti-debugging-trick-against-trw/
http://vil.nai.com/vil/content/v_134117.htm
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Butler.pdf
http://www.cs.nps.navy.mil/people/faculty/irvine/publications/2000/VMM-usenix00-0611.pdf
http://www.offensivecomputing.net/dc14/furthur_down_the_vm_spiral.pdf
http://www.matasano.com/log/955/you-can-detect-hypervisor-rootkits-even-if-youre-virtualized/
http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

I'm still having trouble finding a repository of rootkits/malware/etc... to actually test on XP,Vista VM's or bare metal machines. I know they are out there but it seems there has got to be a better way then searching for VM aware malware, find a check sum and then hoping Offensive Computing has it?


	Logged

shakuni

Jr. Member

Offline

Posts: 62

Re: Looking for Malware that react with Virtual Machines

« Reply #3 on: June 21, 2008, 12:57:36 AM »

So basically you are asking for source codes of malware that uses Anti VM tricks. I don't know wheather it is allowed to discuss theses things on the forums. So wait until don allows us to share these things. Or read a bit about google hacking. There are thousands of repositaries of malware sources out there.

Until then I suggest you to write simple "hello world" viruses and then use Anti VM tricks in them (from the links that I gave you) to test wheather the tricks works on the desired platform or VM.

-shakuni


	Logged

There is no rule, law or tradition that apply universally... including this one.

rsreese

Newbie

Offline

Posts: 3

Re: Looking for Malware that react with Virtual Machines

« Reply #4 on: June 23, 2008, 01:47:46 PM »

Great idea, I'll give that a try, thank you for your time.


	Logged

Pages: [1] Go Up

« previous next »

ChicagoCon 2008f

EH-Net's
2nd Annual
Tweener Party

ChicagoCon 2008f

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.

Try CBT Nuggets Free!

ChicagoCon 2008f

ChicagoCon 2008f

EH-Net's 2nd Annual Tweener Party

ChicagoCon 2008f Support EH-Net by Buying all of your Amazon items using the search bar above. Try CBT Nuggets Free!

ChicagoCon 2008f

EH-Net's
2nd Annual
Tweener Party

ChicagoCon 2008f

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.

Try CBT Nuggets Free!