Create templates to use with VirtualBox to make vm detection harder

Malware writers always try to detect if their creation is running on a VM.

Malware has one huge advantage when executed on an automated VM analysis system: if the sample does not behave in a malicious manner within the first five minutes, such as skipping waiting loops, the system will most likely deem it harmless.



For example, a malicious softwarer can wait for the system to reboot twice before it starts acting malicious or it can activate the payload after a certain number of mouse clicks have occurred.

Some of the tricks used to detect if a program is running in a virtual environment are quite simple:

  • Check the MAC address of the virtual network adapter to reveal the vendor
  • Check certain registry keys that are unique to virtual systems
  • Check if helper tools like VMware tools are installed
  • Check for certain process and service names
  • Check for communication ports and behavior
  • Execute special assembler code and compare the results
  • Check the location of system structures, like the descriptor tables

Antivmdetection [1] is a script that helps to create templates which you can use with VirtualBox to make VM detection harder.

The purpose of this script is to use, available settings without modifying the VirtualBox base. There are people who do really neat things by patching Virtualbox. But that is out of the scoop for this script. I think this approach has some merits as it does not (hopefully) break with every new release of VirtualBox. Overtime I have also included “things” that are not directly VM related, but rather things that malware is using to fingerprint installations, I hope you don’t mind..

The main script will create the following files:

  • One shell script, that can be used as a template, to be used from the host OS and applied to the VM that you like to modify.
  • A dump of the DSDT, that is used in the template script above.
  • A Windows Powershell file to be used inside the guest, to handle the settings that is not possible to change from the host. This script will have to be run twice, one for the changes that requires reboot and the second time for the pesky things that resurface at reboot.


References

  1. https://github.com/nsmfoo/antivmdetection