Analyzing VM-detecting malware
About a year ago, I read something about VM-detecting malware.
After studying this subject, there were a few thoughts which came to mind.
First thought was "How to analyze the behaviour/payload of VM-detecting malware without the use of a Virtual Computer, without sacrificing your computer, without the need to re-install your OS after the analysis (=infection)?
According to a SANS-Article this can be addressed either by patching the malware so it doesn't look for signs of VM environments, or by making changes to the VM environment that will trick the malware.
But there has to be an other way....
From there the idea started.
At the moment, I'm developing a computer-system for the purpose of analyzing (malicious) software, without the use of a Virtual Environment and without a 'Go Back'-app (like Roxio).
You may call it a 'sacrificial machine', but it isn't really 'sacrificial', because this computer is developed for the purpose of malware-behaviour-analysis (read: infecting), following by simply recover/disinfect the machine and prepare it for the next analysis without leaving a trace of the previous infection.
In other words: The computer is able to 'simply' disinfect and recover itself.
I don't use a 'Go-back'-application, so I also can analyze malware-behaviour after a computer-reboot and the, so called, 'trigger'-malware.
After the static analysis (identificate, de-compile/reverse engineering, decrypt, etc), I start the dynamic analysis by real infecting the machine while "in the background" some real-time monitor-apps and other progs are running, for gathering information about the behaviour/payload of the sample. After that, it is quite simple to recover/disinfect the machine for the next analysis.
At this moment, after a few month of developing, testing and improving this system, I'm quite satisfied. Now it's time for 'hard-core'-testing.
That brings me to my question:
Which malware do YOU think I have to analyze with this system? Of course I'm particularly interested in VM-detecting malware (like Red Pill, Scoopy, Jerry).
Which malware has to be analyzed in a non-VM-environment?
(i'm only interested in the names/alias. I already have a large, well organized, collection. So (probably) I don't need samples. Most of them I already have.)
Maybe you're interested in the following: I already did some analysis with this computer (of course) and the results were often very different from the virii-analysis/descriptions made by the AV-Companies. The only reason I can give for this is that the behaviour of such malware is different in a VM/Sandbox. Only with 'real-infection' the real payload appears.
Ergo: which malware is VM-detecting and has to be analyzed in a 'real-machine'? (Of course, the most interesting analysis-results will be published at OC)
Other suggestions and comments about the above are also welcome.
Thanks in advance,