Skip navigation.
Home

Static Check for VM-aware malware

|

Does anyone know of a tool that can perform a static check against an executable to determine the possibility of it being VM-aware? Linux tool is preferred, but I'll take anything at this point.

Thanks,
Rob

below link may give some

below link may give some information

http://radlab.cs.berkeley.edu/w/uploads/3/3d/Detecting_VM_Aware_Malware.pdf

anupam

Nope

There doesn't seem to be a hard-coded VM-aware detection program out there. I'm considering making one but that comes with two threats. The first being that if you create a tool to detect something that bad guys don't want you to detect, they will figure out what exactly you are trying to detect and you will change how they are doing it, of course your tool will work against legacy malware but all the new stuff will be lost to you until you update everything. The second being that most malware which sports that kind of functionality, won't just keep it out in the open, meaning that the particular vm-detect code is probably packed or wound up in some kind of obfuscation algorithm. So being able to statically determine if malware is using VM-detection is incredibly difficult. I guess the best way to do it would be to have the tool execute the malware till it finds some vm-detection code then kill it instantly.

Exists no failsafe method, i

Exists no failsafe method, i think. If it did and get known, then it will soon be a counter method.