10

A lot of malware these days is able to detect when it is running virtualized under VMWare, VirtualPC, WINE, or even in a sandbox such as Anubis or CWSandBox.

This essentially means that malware will often "hold back" or not function maliciously when running in a virtual environment in order to thwart analysis of its true intentions.

My thought is then, why not make your PC appear as if it is virtualized? Does anyone know how I might be able to go about this?

Improve this question
2
  • 3
    Is simply "run your OS in a VM or hypervisor" too obvious an answer?
    – Marc Gravell
    Commented Jul 25, 2009 at 21:13
  • Because I want to make the pc's in my environment appear to malware as if they are a VM. By doing this, my hope is that malware that chooses not to run inside of a VM (to prevent analysis) will assume this is system is virtualized, and therefore simply an analysts testbed...and not run itself. It's part of a defense-in-depth strategy...just an additional layer.
    – Mick
    Commented Jul 26, 2009 at 17:39

5 Answers 5

Reset to default
9

This is not a good technique. Relying on malware to behave nicely because it might be under the microscope is a bit like relying on cats to stay put because you told them to. It's an interesting idea, but one which is not worth implementing as an anti-malware solution.

That said, as Marc suggested - just actually run your OS in a VM or hypervisor, if you want malware to behave itself as if it is in a virtualized environment. The performance hit is the tiny price you pay for such enhanced peace of mind.

One other item of note is that there are a fair number of legitimate desktop apps which don't work under VMs because their DRM thinks they might be in the process of being reverse engineered. The usability hassle from that would be terrible.

Improve this answer
4
  • 1
    "One other item of note is that there are a fair number of legitimate desktop apps which don't work under VMs because their DRM thinks they might be in the process of being reverse engineered." Can you add an example? I'd love to see one of those apps.
    – Manuel Ferreria
    Commented Jul 25, 2009 at 21:43
  • Securom on most any newer game, for starters.
    – Paul McMillan
    Commented Jul 26, 2009 at 9:09
  • Thanks for the comments. This idea popped into my head as a possible way to make it harder for my systems (tens of thousands) to become infected with malware. Even with up to date anti-virus products, firewall (software and hardware), and NIDS/HIDS, there are still trojan downloaders that can cause headaches. Thanks for your opinions...this sounds like it may not be a real bright idea!
    – Mick
    Commented Jul 26, 2009 at 17:43
  • Oddly I now feel compelled to post a video I made of my cat staying put because I told it to. Granted, it's behavior shocked me.
    – dlamblin
    Commented Jul 27, 2009 at 19:38
0

That is a interesting subject. CodeProject had an article about how to detect whether your program was running inside a vm, here. It looks as if the VMWare approach might be the easiest to fake, since it involves accessing a port to communicate with the host.

Improve this answer
0

The nature of malware dictates that sooner or later, probably sooner, the malware writers will be able to detect if you are faking a virtualized OS. It's only a matter of time. I would concentrate my efforts elsewhere.

Improve this answer
1
  • That would only happen if everyone would start to fake a virtualized OS. A few hackers wouldn't be worth the trouble.
    – Christian
    Commented Aug 4, 2009 at 17:27
0

For Linux there are PERL scripts like virt-what and imvirt. Have a look at the last one at http://micky.ibh.net/~liske/imvirt.html

Improve this answer
-1

Why you are installing questionable software on your system? I think the best security practice is to use or purchase software from reliable sources (the vendor itself or reliable open source community). In addition, buy a good security solution; I have NOD32 and have never, not even once, had an issue.

Improve this answer
1
  • Because I am doing malware analysis for my employer. I want to know what the malware is attempting to access, and if it is downloading additional payloads. I can't know this if I can't easily analyze it. If it detects a VM (which is easy), then using a VM is of little use.
    – Mick
    Commented Jul 26, 2009 at 17:37

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .