Stopping Malware With a Fake Virtual Machine

As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats can also detect monitoring tools used for malware analysis. Often such malware will not execute or change their behavior to appear harmless. Because some malware uses these tactics, planting fake virtual machine artefacts or fake analysis tools on a system could stop their malicious behavior. We have created a quick proof of concept (POC) to demonstrate this defensive tactic.

Some malware use a mutex or registry key to avoid re-infecting a machine. For example, a previous version of Locky used a registry key with the string “locky” to check if the machine was already infected. This variant also used a basic check to verify if the local language was Russian; if it was, the ransomware did not infect the machine. With this kind of information, security analysts can proactively configure these artefacts to boost protection against some malicious software.

The following diagram illustrates this concept:

20170118 Roccia fake vm 1

 

Proof of concept functions

Sandboxes and virtual environments are full of artefacts that betray their analysis environment. Malware can protect itself against these by running some checks to detect such environments before performing any malicious actions. Our POC will reproduce a virtual environment on a normal user machine. It is available at https://github.com/fr0gger/RocProtect-V1.

Creating fake registry keys

A lot of registry keys are created by specific tools or by sandbox emulation. Using the Windows API RegCreateKeyEx we can create all the (fake) keys normally created by a virtual hypervisor.

The following list shows of few of the potential registry keys that malware can detect:

  • HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\“Identifier”;“VMWARE”
  • HKLM\SOFTWARE\VMware, Inc.\VMware Tools
  • HKLM\HARDWARE\Description\System\ “SystemBiosVersion”;”VMWARE”
  • HKLM\HARDWARE\Description\System\”SystemBiosVersion”;VBOX
  • HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
  • HKLM\HARDWARE\ACPI\DSDT\VBOX__

The following function explains in more detail the registry key creation process:

RegCreateKeyEx(
HKEY_LOCAL_MACHINE, // registry key
RegValuePath[i], // subkey
0, // reserved and must be 0
NULL, // class type of the key
REG_OPTION_NON_VOLATILE, // keep the key after reboot
KEY_WRITE, // registry key security and access right
NULL, // security attributes
&hKey, // handle to the opened key
NULL) // determine weither the key exists or not

 

Other API functions are used to set a value on a previously created key (RegOpenKeyEx, RegSetValueEx).

Creating fake processes

The hypervisor runs several processes in the virtual machine to perform actions and ensure compatibility with the host machine. For example, VirtualBox uses several processes on a machine that can be spotted by malware.

The following list shows processes created by VirtualBox:

  • exe
  • exe
  • exe

The function CreateProcess can be used to load a fake process into memory:

CreateProcess(
ProcessName[i], // name of the fake process
NULL, // additional command line
NULL, // security attributes
NULL, // security attributes
FALSE, // handle are not inherited
CREATE_SUSPENDED, // create the process in suspended mode to avoid resource consumption
NULL, // pointer to the environment block
NULL, // specific directory for the file
&si, // startup info
&pi) // process info

 

Creating fake files

Malware can also try to detect the presence of any files related to virtual environments. A lot of driver or DLL files are created by the hypervisor.

The following list shows a short extract of potential virtual files:

  • C:\\WINDOWS\system32\drivers\VBoxMouse.sys
  • C:\\WINDOWS\system32\vboxhook.dll
  • C:\\WINDOWS\system32\vboxdisp.dll
  • C:\\Windows\system32\drivers\vmmouse.sys
  • C:\\system32\drivers\vmhgfs.sys

The function CreateFile can be used to create fake files on the system:

CreateFile(
fname[i],// open file
GENERIC_WRITE, // open for writing
0, // do not share
NULL, // default security
OPEN_ALWAYS, // open or create
FILE_ATTRIBUTE_NORMAL, // normal file
NULL) == INVALID_HANDLE_VALUE) // no attribute template

 

Creating a fake MAC address

VirtualBox and VMware use default MAC addresses on virtual machines. The VirtualBox default address uses the first three bytes 08:00:27. The VMware default address uses the first three bytes 00:0C:29, 00:1C:14, 00:50:56, or 00:05:69. Malware can detect these MAC addresses by requesting the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000\NetworkAddress

 

Proof of Concept

We have tested some samples with “VM aware” capabilities with our tool. In each case the malware did not run and the machine was not infected.

The tool Pafish, an open-source project, uses similar tricks as malware to identify virtual environments. We used Pafish to observe the difference between a normal machine and a machine set up with our tool emulating a virtual machine.

The following screenshot shows the output of Pafish with few detections of a virtual environment:

20170118 Roccia fake vm 2

After running our tool, we can clearly see the differences in detection.

20170118 Roccia fake vm 3

On the left we see the output of RocProtect, our proof of concept, which created fake artefacts on the machine. On the right we see the output of Pafish that shows us the number of detections.

Malware is constantly becoming more advanced. Analysis and detection are become harder and very time consuming. This proof of concept introduces a different way to protect against malware infections by emulating a virtual environment. Of course, this tool cannot replace a real security application, but it can complement your defenses. Sometimes we need to try different tactics to fight malware.

Leave a Comment

fourteen + 17 =