Malware analysis is a critical practice in cybersecurity, but it can be risky if not done correctly. Running malware in a live environment can have unintended consequences, so it's essential to use a secure and isolated environment. VMware virtual machines (VMs) are a popular choice for malware analysis due to their flexibility and isolation capabilities. However, to truly ensure the safety of your host system and prevent the malware from escaping the VM, it's crucial to harden the VM's isolation.
Isolation Methods
There are multiple methods to create isolated laboratory environments for safe analysis practice. These methods can be categorized into three main groups:
Focusing on VMware VMs
This article will focus on hardening VMware VMs, specifically those created in the readily available VMware Workstation. While recognizing the value of tools like KVM/QEMU and Unicorn for expert analysts, this article will prioritize the fundamental techniques applicable within VMware Workstation.
Creating a Stealthy V
A Stealthy VM refers to a virtual machine (VM) specifically hardened and configured to be as invisible and resistant to detection as possible. The goal of a Stealthy VM is to prevent malware from recognizing it as a virtual environment, limit its ability to interact with the outside world, and facilitate safe and effective analysis.
This repository serves as a platform for exploring and developing hypervisor-based security solutions. It contains code, documentation, and resources related to the project. - https://github.com/Scrut1ny/Hypervisor-Phantom
Hardening Techniques
To create a Stealthy VM, various hardening techniques can be employed:
Additional Considerations
In addition to the hardening techniques, consider the following:
Outsmarting Anti-VM Techniques
Malware authors are constantly looking for new ways to evade detection and analysis. One common technique is to try to detect whether the malware is running in a virtual machine (VM) environment. If the malware can detect that it is running in a VM, it can take steps to avoid detection or analysis.
There are a number of ways that malware can detect VMs. Some common methods include:
To counter these anti-VM techniques, various measures can be taken, such as disabling or enabling specific policies in the VM configuration, masking hardware identifiers, using tools to modify hardware signatures, and employing kernel-mode debugging.
Advanced Techniques and Tools
For more advanced techniques and tools, GitHub hosts several repositories that provide scripts, tools, and guides on implementing low-level tricks to further harden the VM's stealthiness.
Staying Ahead of the Game
The battle between malware authors and security researchers is an ongoing arms race. New anti-VM techniques emerge constantly, necessitating continuous adaptation and vigilance. Staying informed about the latest trends in malware detection and evasion, employing a layered approach to VM hardening, and actively testing your analysis environment's security are crucial to maintaining a secure and effective malware analysis sandbox.
Some tips for creating a Stealth VM that might be useful.
Static analysis is the first, always before launching into dynamic analysis of a malware sample, static analysis is the first step to know what we are facing. If in the process you find something like this:
xor eax, eaxxor ebx, ebxxor ecx, ecxxor edx, edxmov eax, 12345678hnopmov ebx, eaxnopmov eax, 564D5868h ; The magic number “VMXh” to check for VMwaremov ecx, 0Ah ; Command 0Ah in ecx to get VMware versionmov edx, 5658h ; The magic I/O port "VX"xor ebx, ebx nopIN eax, dx ; If VMware is present, this will modify the eax registercmp eax, 564D5868hje not_vmwarenot_vmware:; Code to execute if not running under VMwareend:; End of the routine or further processing
The probability that you are seeing a possible VM detection technique is high.
Malware authors are constantly looking for new ways to evade detection and analysis. One common technique is to try to detect whether the malware is running in a virtual machine (VM) environment. If the malware can detect that it is running in a VM, it can take steps to avoid detection or analysis.
Hardware Fingerprinting
Remember, these tricks make your VM harder to see, but they might also make it harder to use. Choose wisely!
During analysis, remove "Vmtools". Hackers might look for processes like "VMwareService.exe", "VMwareTray.exe", or "VmwareUser.exe" to sniff you out.
In your VM settings, disable "shared folders". This cuts the file connection between your main computer and the VM, keeping things separate.
Select the corresponding VMX file and consider is to disable Hypervisor CPUID leaves and prevent malware from querying CPU features that reveal virtualization.
1. Right click on VM -> Open VM directory2. Select the corresponding VMX file and open it with notepad3. Add or change the line:hypervisor.cpuid.v0 = "FALSE"
Prevent programs from detecting the virtual environment through complex checks such as monitoring memory address space and counters.
hypervisor.cpuid.v0 = "FALSE"board-id.reflectHost = "TRUE"hw.model.reflectHost = "TRUE"serialNumber.reflectHost = "TRUE"smbios.reflectHost = "TRUE"SMBIOS.noOEMStrings = "TRUE"isolation.tools.getPtrLocation.disable = "TRUE"isolation.tools.setPtrLocation.disable = "TRUE"isolation.tools.setVersion.disable = "TRUE"isolation.tools.getVersion.disable = "TRUE"monitor_control.disable_directexec = "TRUE"monitor_control.disable_chksimd = "TRUE"monitor_control.disable_ntreloc = "TRUE"monitor_control.disable_selfmod = "TRUE"monitor_control.disable_reloc = "TRUE"monitor_control.disable_btinout = "TRUE"monitor_control.disable_btmemspace = "TRUE"monitor_control.disable_btpriv = "TRUE"monitor_control.disable_btseg = "TRUE"
UPDATE: For newer versions of VM detection systems like Themida, it is necessary to add the following configurations:
cpuid.disable_apicExtRegs = "TRUE"monitor_control.enable_fullcpuid="TRUE"SMBIOS.assettag = "IBM Corporation"SMBIOS.useShortSerialNumber = "TRUE"checkpoint.vmState.readOnly = "FALSE"cpuid.disable_apicExtRegs = "TRUE"monitor_control.enable_fullcpuid="TRUE"cpuid.1.eax = "0f400000"cpuid.1.ecx = "065e6674"cpuid.1.edx = "76657269"monitor_control.restrict_backdoor = "TRUE" monitor_control.enable_extended_core = "true"monitor_control.enable_paravirt = "true"monitor_control.virtual_rdtsc = "false"ethernet0.networkName = "lan1"smc.present = "FALSE"tools.syncTime = "TRUE"mks.enable3d = "FALSE"checkpoint.vmState.readOnly = "FALSE"
These configurations help in evading detection from advanced VM detection mechanisms implemented by software like Themida, enhancing the stealth aspect of the virtual machine in environments where detection avoidance is critical.
Consider is to mask hardware identifiers, use tools like VMwareHardenedLoader driver by hzqst located in GitHub or custom scripts to modify hardware signatures, chipset information, BIOS version, SMBIOS tables, real computer bios firmware and other potentially identifiable data.
bios440.filename = "C:\WS_DELL_BIOS.ROM"
Naturally some of the characteristics will be taken from the host, but some malware samples extract signatures and data from the bios.
Debugging outside of VM,
One of the great advantages of VMs is the debugging outside of a VM using a virtual COM port.
serial0.fileType = "pipe"serial0.yieldOnMsrRead = "TRUE"serial0.fileName = "\\.\pipe\KernelDbg"serial0.present = "TRUE"serial0.tryNoRxLoss = "TRUE"
More Info:
Network Adapter and MAC Address
Malware can detect a VM by examining the MAC address range, which is often specific to virtual network adapters. Before starting the VM, configure a custom MAC address, manually set a MAC address that doesn't belong to a known virtual network adapter vendor.
ethernet0.address = "Some random mac address"
Create separate virtual networks (Isolate virtual networks) for analysis VMs to minimize network interaction with the host system.
Recommended by LinkedIn
Resource Availability and Performance Profiling
Assign CPU cores, memory, and disk space that closely resemble a physical machine's configuration.
vmware.disableGa = "TRUE"smbiosprovider.disable = "TRUE"SMBIOS.excludeHardwareStrings = "TRUE"isolation.tools.setHWVersionExt.disable = "TRUE"isolation.tools.setHWVendor.disable = "TRUE"isolation.tools.disableTimekeeping = "TRUE"isolation.tools.disableRand = "TRUE"isolation.tools.disableHvCounters = "TRUE"isolation.tools.setOSVersion.disable = "TRUE"
Some of these options depend on your goals.
Hide virtual disk
One common way malware detects a VM is through the virtual hardware's identifiers. Modify the registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
Remove references to 'VMware', 'Virtual', or 'Ven'. Additionally, replace instances of 'VMware' or 'Virtual' throughout the registry with terms like 'Intel' or 'IBM'.
By modifying the scsi0:0.productID and scsi0:0.vendorID in the VM's configuration vmx file, replace default or recognizable virtual identifiers with ones that mimic real hardware.
scsi0:0.productID = "Kinston SSD AADEBBCC1"scsi0:0.vendorID = "Kinston"
Time-Related Anomalies:
Enable time synchronization and configure the VM to synchronize time with reliable external time servers accurately. Disable time drift correction and preventing VMware from automatically adjusting the VM's time, which can create inconsistencies.
Advanced techniques and tools
VM-Hiding: A repository for hiding the VM hypervisor from guest operating systems, useful for VM-based VMs.
VMDE: Virtual Machine Detection Evasion tool, which provides various scripts and techniques for evading VM detection.
SandboxEvasion: A collection of techniques for evading detection by sandboxes and VMs.
Additionally, to assess how well your VM is protected against detection, and to learn about other tools used for detecting sandboxes, KVM, and VMs, you can use Pafish (Paranoid fish).
By understanding how malware identifies virtual environments and employing effective countermeasures, we can create a robust defense against their evasive tactics. This allows security researchers to continue their vital work of analyzing and neutralizing new threats, ultimately contributing to a safer digital landscape for everyone. Remember, security is a continuous process, not a one-time fix. Regularly update your knowledge, tools, and VM configurations to stay ahead of the evolving landscape of malware threats.
Another more modern option for assessing the hardening of our work environment is Al-Khaser. Al-Khaser is a comprehensive tool designed to test the resilience and detection capabilities of security environments against various forms of malware and advanced persistent threats (APTs).
This project offers a wide array of checks, including those for VM detection, sandbox evasion, and presence of debugging tools, making it an invaluable resource for security professionals looking to evaluate and improve the defensive posture of their systems. By simulating a range of attack vectors and detection evasion techniques, Al-Khaser helps in identifying potential weaknesses in a system's security setup, thereby facilitating a more robust hardening process.
Tell us about your work laboratory.
#MalwareAnalysis #VMHardening #StealthyVM #VMwareWorkstation #VirtualMachineIsolation #DedicatedVirtualNetwork #ResourceControl #HardeningScripts #SnapshotsAndCheckpoints #HypervisorMasking #TimingAttacksMitigation #IORedirection #RandomizingHardwareProperties #SystemFileManipulation #DisableUnnecessaryFeatures #SecuritySettings #AntiVMDeterrence #MonitorVMActivity #SafeAnalysisTechniques #MalwareDetectionEvasion #AntiVMDetection #KernelModeDebugging #AdvancedVMTricks #MalwareArmsRace #CybersecurityBestPractices
Some interesting references: