3 hours 41 minutes
Hello, everyone, and welcome to the session on anti analysis techniques. In this session, we're going to learn about the different types of features that malware authors like to include in an attempt to to thwart analysis. So let's get started by looking at some anti virtual machine techniques.
Malware is sometimes built with anti VM techniques, which will prevent a piece of malware from running if a virtual machine is detected.
Anti VM techniques are commonly found in different types of bots, spyware and scare ware.
Recently, however, the popularity of anti VM our has gone down because the number of machines running virtually has gone up. Nowadays, it's pretty commonplace to be running in a virtual Klein of some sort, so it's becoming beneficial for malware authors to remove these features. So to increase the likelihood of a compromise.
In general, there's a few ways that now where can detect if it's running in a VM.
The first is by looking at the M related artifacts.
Typically, when you're running in a VM, you have the M where poor virtual box tools installed
VM ware tools can add different artifacts to the process, listings, registry and file system As you can see here, I've got to of'em services running in my VM, and either one of these can be found. If now we're we're to search for the string VM ware In addition to the file system and services. Now, where can
also detect virtual hardware,
such as virtual hard drives of virtual network cards and motherboards?
Because the first three bites of Mac addresses are typically specific to a specific vendor now, where can search for these addresses, which are associated with VM ware?
Now, where can also detect virtualization through registering Hughes
here? If I listed a few keys that can be used to detect virtual environments, some related to virtual hardware, the installed virtual ization tools or other settings for virtualization
not only does anti VM where our and look at the registry, but because Windows is so dependent on power shell these days, it could be used to query the system for the presence of VM Ware.
Here I've included a command that uses W. M. I for the presence of VM ware strings.
The last technique that is often used to detect the EMS is the implementation of assembly instructions
to allow VM where to operate optimally into virtualized X 86 hardware. VM Ware allows certain X 86 assembly instructions to execute without being properly virtualized.
The instructions in the following list won't be present in malware unless is performing VM ware detection.
So the best way to avoid this detection technique is the patch the binary and avoid calling these instructions.
Now we've talked a lot about how now we're detects if it's running into VM. But how do we work around these techniques?
Well, to stop nowhere from detecting. If you're running in a VM, there's a couple of things that you can try, which are fairly simple.
The first is to remove VM ware or virtual box tools and stop the services.
Also, you could attempt to patch the program in Ida Pro to stop looking for virtual machine artifacts.
A technique that you can implement is to search for string references, and once you find where the code function that's performing, this operation is running. You could patch it to avoid further detection
to prevent your VM from detection. There's also a tool called pay fish.
This tool will scan your VM for the multiple detection methods that we discussed previously and makes recommendations as to how to fix them.
Last but not least, you could use a real hardware solution and implement a snapshot ing tool like deep freeze.
Okay, so now that we've looked at how to prevent malware from detecting our virtual machine in part to let's examine some anti reverse engineering strategies.