D
Deleted member 21043
Thread author
Hello,
I decided to make a thread related to the discussion of "Anti-Virtualization" and "Anti-Sandboxing" explanation and the techniques used by malware writers to accomplish such a thing.
I will start off by Anti-Virtualization:
Anti-Virtualization is basically when a sample will be aware of it being virtualized (e.g. executing in a Virtual Machine) and will prevent itself from executing any actions which are malicious to attempt to trick the user who is testing the sample.
I will list a few ways as to how it may go about doing this:
- Enumerating all the processes on the system and checking for known processes which are related to and link to being ran in a virtualized environment such as: processes used by VMWare for the VMWare Tools, processes used by VirtualBox Guest Additions,...
- Checking the BIOS information.
Anti-Sandboxing:
Anti-Sandboxing is a technique used by malware writers to try to avoid being sandboxed. For example, it may enumerate all the processes and try to pickout ones used by sandboxes. If it is targetting Sandboxie (doesn't want to be sandboxed under Sandboxie), it may have tried to look for SbieCtrl.exe and when found it, make a faked error message about how the sample won't work on this system or an error about it loading and then terminate, or just terminate instantly. As an alternative, it may load but chan
I must make a thread with a sample which is Anti-Virtualization/Anti-Sandboxing to show a real, live example.
There are many ways it can be accomplished. Feel free to leave any questions/ideas you have or any techniques you know of which they use.
Spot any mistakes? Let me know so I can fix them.
Cheers.
I decided to make a thread related to the discussion of "Anti-Virtualization" and "Anti-Sandboxing" explanation and the techniques used by malware writers to accomplish such a thing.
I will start off by Anti-Virtualization:
Anti-Virtualization is basically when a sample will be aware of it being virtualized (e.g. executing in a Virtual Machine) and will prevent itself from executing any actions which are malicious to attempt to trick the user who is testing the sample.
I will list a few ways as to how it may go about doing this:
- Enumerating all the processes on the system and checking for known processes which are related to and link to being ran in a virtualized environment such as: processes used by VMWare for the VMWare Tools, processes used by VirtualBox Guest Additions,...
- Checking the BIOS information.
Anti-Sandboxing:
Anti-Sandboxing is a technique used by malware writers to try to avoid being sandboxed. For example, it may enumerate all the processes and try to pickout ones used by sandboxes. If it is targetting Sandboxie (doesn't want to be sandboxed under Sandboxie), it may have tried to look for SbieCtrl.exe and when found it, make a faked error message about how the sample won't work on this system or an error about it loading and then terminate, or just terminate instantly. As an alternative, it may load but chan
I must make a thread with a sample which is Anti-Virtualization/Anti-Sandboxing to show a real, live example.
There are many ways it can be accomplished. Feel free to leave any questions/ideas you have or any techniques you know of which they use.
Spot any mistakes? Let me know so I can fix them.
Cheers.