What to Know Before Choosing a Malware Analysis Environment

vemn

Level 6
Thread author
Verified
Malware Hunter
Well-known
Feb 11, 2017
264
W

Wave

Some people don't believe me when I say this but some of the simplest threats can detect a virtual environment, too - it's incredibly easy for any malware author to implement basic identification methods for virtualization at the least through something called copy-paste off online code examples, there's plenty out there for detecting VirtualBox/VMWare/sandbox systems like Sandboxie...

1. Processes running in memory -> identifier
2. Registry - identifier
3. Running services -> identifier
... There are plenty more away from identifiers like the above also.

 

Wingman

Level 4
Verified
Well-known
Feb 6, 2017
154
Some people don't believe me when I say this but some of the simplest threats can detect a virtual environment

Couldn't agree more. interestingly enough very few samples -def not commodity malware - uses these techniques. Since every organisation is virtualizing (one way or another- for cost savings/faster BCP scenarios etc) ,it probably doesnt make sense for the malware authors to limit their samples cspabilities
 

WinXPert

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Jan 9, 2013
1,457
Some people don't believe me when I say this but some of the simplest threats can detect a virtual environment, too - it's incredibly easy for any malware author to implement basic identification methods for virtualization at the least through something called copy-paste off online code examples, there's plenty out there for detecting VirtualBox/VMWare/sandbox systems like Sandboxie...

What about Deep Freeze, Shadow Defender or Time Freeze?
 
W

Wave

@Wave,

do you know if it possible to make VMs less detectable and how?
Is one VM (VMware, vitualbox, SD, sandboxie...) less detectable than another? thank you;)
Well VirtualBox and VMWare are on a similar level IMO but since some software for Virtual Machine may have different features it brings new identifiers sadly...

One way to conceal VM usage would be not to use Guest Additions however it's very useful to use it... And there's tons of other identifiers.

I'll do some research later and either post another reply here or send you a PM since I'm typing from a phone and it's almost 4am :)

What about Deep Freeze, Shadow Defender or Time Freeze?
Yes, all such software will have identifiers which can be used from within code, too. However, depends on functionality of the software sometimes (e.g. Sandboxie injects a DLL called SbieDll so you can check if it's a loaded module in your process to detect it's presence, or just check for hooked functions and as a result identify BB/HIPS or dynamic heuristics which isn't exclusive to a specific security product, too!) :)
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
I agree that if you want real testing, you use a real environment, simulating the regular user's computer system. But I don't see any problem using a VM to test, as long as the tester is aware that if a malware fails to execute, the malware might have detected the artificial environment or that the required components (e.g. .NET, Java, etc.) are not present, and thus the tester must not conclude immediately about the effectiveness of the AV that is tested.

HitmanPro.Alert's Vaccination (especially the active vaccination) takes advantage of this supposed weakness of malware testing. So, in a host environment, the malware may think that it's in a VM/Sandbox, rather in a real environment. So, instead of running, the malware would self-destruct or self-stop. :)
 

vemn

Level 6
Thread author
Verified
Malware Hunter
Well-known
Feb 11, 2017
264
Well VirtualBox and VMWare are on a similar level IMO but since some software for Virtual Machine may have different features it brings new identifiers sadly...

One way to conceal VM usage would be not to use Guest Additions however it's very useful to use it... And there's tons of other identifiers.

I'll do some research later and either post another reply here or send you a PM since I'm typing from a phone and it's almost 4am :)


Yes, all such software will have identifiers which can be used from within code, too. However, depends on functionality of the software sometimes (e.g. Sandboxie injects a DLL called SbieDll so you can check if it's a loaded module in your process to detect it's presence, or just check for hooked functions and as a result identify BB/HIPS or dynamic heuristics which isn't exclusive to a specific security product, too!) :)

Ah @Solarquest you asked the qn I wanted to!
Heard a lot about sandbox evasion (vm) so wonder what's the way out for this, though all sandbox vendors claimed to have anti-sandbox evasion technique
Thanks @Wave for explaining!
 

vemn

Level 6
Thread author
Verified
Malware Hunter
Well-known
Feb 11, 2017
264
Oh another thing I'm curious is the possibility for a malware in a sandbox to escape out to the hypervisor to infect the vendor appliance or even worst enter the customer network.

For example
Deep discovery Analyzer of TM uses Virtualbox.
Typically malware submission goes through mgmt port, spin up an instance, throw in the malware and detonate. Any c&c call back or outbound network will goes via another port on the appliance. Supposed to be segregated from mgmt network (a.k.a customer segment).

Is there such instance where the malware did a c&c callback to the hacker server, when it returns, it tries to escape out or "hop" over to the other port?

Always curious about this.
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
If you are serious about malware testing, just buy/use another machine; no less no more. If you are just curious , just use a VM or similar.[/QUOTE


agreed...the "only" problem is when you get a bios, a firmware rootkit...or even a MBR, VBR, VMM one...then a format, a Win reinstall won't help.....All very difficult to detect and to get rid of...Many people/testers don't know about this risk.
The good news is that they are not common and probably improbable to land on a "normal" tester's PC.
 
Last edited:

Wingman

Level 4
Verified
Well-known
Feb 6, 2017
154
Just to add my 2 cent as well on this- For every vm solution (whether that is virtualbox or VS) there are identifiers. Identification methods can vary (anything from "is VS installed" up to "what is the mac address of the NIC and check that the are not Virtualized")

I have seen malware that detect vm instances by checking the session activity (mouse movement ) - This is the reason why more advanced sandbox solution try to perform actions that a user would do on his normal desktop/asset

(Time for coffee )
 
Last edited:
W

Wave

Heard a lot about sandbox evasion (vm) so wonder what's the way out for this, though all sandbox vendors claimed to have anti-sandbox evasion technique
Haha well these anti-sandbox evasion techniques may patch up known methods but there will be a work-around to bypass the patch and use the same method (the same way that API hooks can be bypassed), or a new identifier will be found and abused for anti-sandbox uses.

agreed...the "only" problem is when you get a bios, a firmware rootkit...or even a MBR, VBR, VMM one...then a format, a Win reinstall won't help.....All very difficult to detect and to get rid of...Many people/testers don't know about this risk.
The good news is that they are not common and probably improbable to land on a "normal" tester's PC.
I agree, and I also agree that they are not common at all - in fact they are even less than not common, the chances of you running ino something like a firmware rootkit is probably less than 1% chance out of millions of samples IMO.

MBR attacks is not common but still used by some malware like Petya these days, however it used to be quite common due to bootkits; even on a dedicated testing machine you can fix this relatively easy if you have experience with a boot disc/roll-back that supports the MBR.

However, as for threats like firmware rootkits, you will do both static and dynamic analysis so you'll most likely identify this through studying the code... the problem is you might not understand what is going on if you're not experienced enough, like in ZeroDay film where they struggled a lot to reverse Stuxnet due to how clean and well-done it was.

Formatting and then reinstalling Windows is always the best idea in terms of normal infections, however if you feel you might have a firmware rootkit then you'll need to flash the BIOS - like I said though, the chances are so small... I've never met anyone who has had a firmware infection actually.

Oh another thing I'm curious is the possibility for a malware in a sandbox to escape out to the hypervisor to infect the vendor appliance or even worst enter the customer network.
Once again, I highly doubt you'll find a sample which can do this either... But for what it's worth I can tell you that it is definitely possible to bypass the hyper-visor leading to escape, the same way it is possible to bypass PatchGuard on Windows one way or another or exploit AV software...

An exploit is abusing a vulnerability and everything has vulnerabilities somewhere down the line, and whether they have been discovered yet or not is another story.

So it is possible, just extremely unlikely it'll ever happen, especially to you whilst doing malware analysis.

Is there such instance where the malware did a c&c callback to the hacker server, when it returns, it tries to escape out or "hop" over to the other port?
Unrelated to the question but it is however possible for malware to leak the users real IP address regardless of software-based VPN; turns out that some Windows processes do not follow the route table for the VPN software. But once again, extremely unlikely... I don't think I've ever seen a sample do this before, either.
 
W

Wave

Unrelated to the question but it is however possible for malware to leak the users real IP address regardless of software-based VPN; turns out that some Windows processes do not follow the route table for the VPN software. But once again, extremely unlikely... I don't think I've ever seen a sample do this before, either.
I will do my research again and let you know since I am not experienced with networking, I learnt about it when I was studying how WebRTC managed to leak the real IP address; I believe it's to do with a Windows process which doesn't follow the rules of the VPN software. Maybe Svchost.exe (or if anyone here does know the info please quote me and let me know!)
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
I should agree regarding on the usage of Virtual Machine by open-source, although malware/viruses will just disrupt the execution when detected on VM or sandbox rather to overflow through different ways.

Since a threat already knew that nothing will happen in isolated environment.

Yes possible that a VM/sandbox may pose risk of leakage during malware activity however the chances will be minimal as it's been reported immediately for possible vulnerability.
 

Dirk41

Level 17
Verified
Top Poster
Well-known
Mar 17, 2016
797
Thank you for sharing and thank you for all the useful comments ( @Wave in particular)

I knew some malware can detect virtual environment ( I did not know how many of them )

But AV shouldn't detect them even if the are not launched ?

( anyway I think products like SBIE and SD are still very usefull against autodownload for example . And as far as you don't put the sw/ malware out of the virtual environment and you download from offcial websites , the threats is not so high )
 
  • Like
Reactions: vemn and Wave
W

Wave

But AV shouldn't detect them even if the are not launched ?
What do you mean?

( anyway I think products like SBIE and SD are still very usefull against autodownload for example . And as far as you don't put the sw/ malware out of the virtual environment and you download from offcial websites , the threats is not so high )
Even if malware can identify the virtual environment they are still useful. Anyway unless you've done proper research you shouldn't be taking it out from whichever isolated container you are using.

Running an app in a sandbox is not a good idea to just determine whether it is clean to be ran on the host or not. In fact a lot of the time with software like Sandboxie even some normal apps can't work right... best stick to using web browser with them.

Software like Shadow Defender are more well-done for normal usage on a host system for all apps.
 

Dirk41

Level 17
Verified
Top Poster
Well-known
Mar 17, 2016
797
What do you mean?

Thank you
Sorry I meant : a malware maybe does not show its malicious abilities in virtual environment , but AV are not able to detect it if you don't double click on the malware ?
 
W

Wave

Sorry I meant : a malware maybe does not show its malicious abilities in virtual environment , but AV are not able to detect it if you don't double click on the malware ?
I still don't understand what you mean, but I will try to guess...

1. AV software incorporates both static and dynamic identification methods usually; static analysis can include checksum hash detection and the static heuristics (generic detection through bytes in the PE compared to a database for byte detection, scanning of the Import Address Table, checking the PE File Header for suspicious characteristics, etc.), whereas the dynamic analysis can include logging the behavior of the running sample to catch out suspicious/malicious behavior to help it determine whether it should block the sample or not.

Static = without execution (so on disk "as-is")
Dynamic = during execution

2. AV software can detect if a program is going to check for signs of a virtual environment through byte detection as long as the sample is naked (e.g. no packing/obfuscation otherwise that would be bypassed) however this would cause FPs since some genuine software does this too, however it can also do it dynamically although it seems the vendors don't bother checking this dynamically...

Maybe that helped?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top