Malware Analysis New Evasion Encyclopedia Shows How Malware Detects Virtual Machines

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
A new Malware Evasion Encyclopedia has been launched that offers insight into the various methods malware uses to detect if it is running under a virtual environment.

To evade detection and analysis by security researchers, malware may check if it is running under a virtualized environment such as virtual machine in VirtualBox and VMWare.

If these checks indicate that it is being run in a VM, the malware will simply not run, and in some cases, delete itself to prevent analysis.

The malware Evasion Encyclopedia

Created by Check Point Research, the Malware Evasion Encyclopedia is broken into different categories of information that a malware will use to detect if it is running under a virtual machine.

While sharing this information may allow malware authors to learn some new techniques, Check Point feels that the value to the information security community far outweighs any benefit to malware developers.

"It is our belief the value of sharing with the community is far greater than the risk of malware authors using this," Check Point Research told BleepingComputer.

The current sections in the encyclopedia with listed techniques are:
  • Filesystem
  • Registry
  • Generic OS queries
  • Global OS objects
  • UI artifacts
  • OS features
  • Processes
  • Network
  • CPU
  • Hardware
  • Firmware tables
  • Hooks
  • macOS
Inside each section are code snippets that illustrate how malware determines if it is running under a virtual environment and suggested countermeasures to defeat these checks.

For example, the 'Processes' section shows how malware checks for certain processes used by VMs, the 'Firmware Tables' section explains how malware looks for certain strings in the BIOS, and the 'Generic OS queries' section lists user names that are commonly looked for. [....]
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top