Skip navigation.
Home

Malware & Virtual Machines

|

I've done some reading through the forums here, and like one of the other posters (albeit from 2009) I've actually been looking to do some simple virus removal practice with some of the other technicians I work with. Most of them are pretty good, but in trying to make sure everyone meets a minimum level of knowledge, I'd like to have a mess about and get them some practice.

Unfortunately many, if not all, of the samples I can get my hands on seem to VM-aware. It seems remarkably impractical for me to actually use a dummy machine and various ghost images just to get a little practice, so what can I do about this? The more recent the better.

Is there any malware these days that isn't VM-aware? or anything I can do to obfuscate the fact that it's in a VM? I've read about how malware checks, and how much work is involved in hiding the fact that you're running in VMware, but I'm just as happy to use VirtualBox or anything else really.

What's the best way to go about setting up a practice station?

I wouldn't stray away from

I wouldn't stray away from using VMware to do malware research. Of course it is a pain having to do a little extra work getting around VM-awareness, it's a lot more time consuming to repeatedly restore to a Ghost image.

And more recent malware development techniques are moving away from VM-aware code, due to the fact that a lot of practical work environments are virtualized now; especially servers.

http://blog.fireeye.com/research/2011/01/the-dead-giveaways-of-vm-aware-malware.html

Patch it

Might not be the ideal solution but you could manually patch the code with Ollydbg to not detect your system. Pretty easy once you get the hang of it.

Here is the link to a great PDF presentation on VM-detection methods, it's a little dated but it will give you a good idea of what you might see out there:

http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

Good luck!

+Edisun