How does VM detection work?

[mattxd00]

I understand there's tricks/exploits certain malware use to fool the user who is running an infected application sandboxed that it is safe. But how does it do that? I recently came across a file I scanned in an online sandbox which upon execution, launched 2 RATs that installed themselves along with adware applications that bombed the sandbox with downloads to millions of ads.

I know developers can 1. Put out a fake warning to make it seem like the application errored and nothing malicious has launched 2. Use exploits to break out of the sandbox and infect the PC(rarely seen this myself)

Knowing that, is there any way for them to detect a online sandbox? It seems to me that the online sandbox is fool-proof because it just works so perfectly and everytime sandboxie launched no malware, the online sandbox would show me that it actually did launch something else along with saying that it tried to detect the sandbox using a certain method.

In conclusion, what methods does malware use to detect VMs/sandboxes(VMs is kind of easy to figure out) and is there a way for the developers to fool online sandboxes.

Im talking about professional malware developers not script kiddies with RATs.

[exile360]

With VMs it's pretty simple.  Most of the time they just check for certain processes and/or services and/or drivers specific to whatever VM software they're trying to avoid (most VM-aware malware I've come across would detect/not run on VMWare but would run on VirtualBox for this very reason; I'm guessing because VMWare is a bit more popular and likely used more often by malware researchers).

As for sandbox detection, I'm really not sure and I'm no expert, but I suppose that perhaps it tries to detect certain components of the registry and/or file structure which aren't replicated inside the sandbox (like certain system folders maybe) or it could be something more complex like detection of how certain processes are mapped to memory, where they are in memory and their PIDs etc. as I believe, for example, that certain system processes that run on boot always have a specific PID, but inside a sandbox I assume that the sandboxed process would be denied access to any processes outside of the sandbox, so any PIDs/processes it could see wouldn't be the 'real' ones actually running on the system outside the sandbox.  All that is just my theory though, so I could be way off base as far as sandbox detection goes.

As for fooling sandboxes, sure, there are plenty of ways.  Some malware uses a timebomb, meaning it doesn't do anything malicious/create/install any malware components until N minutes/hours/days etc. (with some being known to wait months before actual infection) while others won't install/activate anything malicious until a certain number of system reboots have occurred (this also applies to rootkits,which generally require at least 1 reboot in order to become active since they often load into the MBR etc.).  For malware deliberately trying to fly under the radar (not the rootkits, which need a reboot to install/launch, not because they're trying to conceal themselves), they'll behave as completely innocuous programs until the required conditions are met, just like the conditions you set on a scheduled task you create in Task Scheduler.

[mattxd00]

Ok so they can use a time bomb which I've heard of before, and reboots but how do they do all this without the user knowing. I'm assuming since it's a time bomb it would have to have a process running counting down or simply add a task to activate it in the scheduler. I never really understood how the time bomb worked. Neither rootkits.

If you were to activate a root kit, it cant get into the boot manager without rebooting anyways I think. But how does it then do that on restart. Maybe link me some sources if you can't explain???

 

[exile360]

Sure, they keep some kind of watchdog process in memory or, as you mentioned, they use a scheduled task.  I believe there are ways to hide scheduled tasks, and I know there are ways to make them appear legitimate (like replicating a known safe piece of software or system component, but pointing to a different executable, or even pointing to the legit executable, but including some sort of custom command/switch that causes that otherwise safe process to execute a script that launches the malware).  As for the timebomb that doesn't use a scheduled task, this is typical of a Trojan, and what mean in this context is the original meaning of the word in the PC world: an application or file that appears safe and to serve a useful function, but is in fact malicious or at least not what it appears and/or is advertised to be.  In this case, it could be a simple screensaver, or better yet, a hardware monitor or a video game.  It could be anything as long as it either A) is likely to be something the user wants to keep running in the background at all times (think tools like memory optimization apps that clear active RAM cache to supposedly boost performance, or a disk defragmentation tool that sets up a scheduled task or automatically runs in the background all the time to monitor your drives for fragmented files to automatically defrag whenever it gets too fragmented) or B) is something the user is likely to run on their own multiple times, such as a game, a screensaver, a registry cleaner or pretty much any other type of software.  In all of those cases, and plenty more I'm sure, a user is likely to not suspect anything is wrong as long as the application behaves itself and is/does what it's supposed to.  But after a specified (or even random maybe) number of executions or when a specified date/time rolls around or the file reaches a certain age (based on when it was downloaded, for example), all it has to do is trigger at that point and do its malicious work.  Sure, the more tech savvy users are more likely to notice some of this stuff, especially the things not related to time bombs (as you said, checking Task Scheduler etc.), but the techie crowd isn't usually the intended target for malware.  The bad guys want the novice/everyday PC users who don't even know about scheduled tasks or how to check the registry or startup programs etc.  They want the people that they believe they can easily steal from, scare into paying them money etc. or who they can trick into providing them with whatever info the bad guys might be after (passwords, financial info, credit card numbers etc.).  It's all about playing the odds.

As for rootkits, that's exactly my point; it requires a reboot in order to launch.  Usually (though not always), the way they install during boot is through a driver or service (usually a driver) since drivers and services automatically have privileged access to the system (SYSTEM account permissions, which are higher than even admin).  That's how they're able to so easily access system locations/files to patch them etc., including the boot files such as the MBR, and to re-write the MBR along with a lot of the other malicious tasks they might perform, a reboot is often required.  But they could already have a process/service/driver/DLL or whatever loaded on the system which appears to be safe, and just like with the Trojan examples above, it's just waiting for a specific (or again, possibly random) number of reboots to occur or time/date to roll around at which point it finally does its thing quietly/silently in the background to infect the system.  They don't need to be running all the time or use a countdown, all they have to do is call the API that reports the date and time, something that Windows, AVs and basically everything else on a system that a user might have to protect them will likely never stop an application/process from doing, because they themselves do it too (this is how your AV/AM product knows when it will expire and how free trials work along with any other subscription software/trialware).  So that great game of Super 3D Duck Racer (just a fake example, but it sounds cool, eh  ?) is so much fun that the user plays it every day, or maybe just on the weekends.  Either way, after 2 weeks have passed, or maybe even once the user scores a specified number of points or reaches a certain level in the game (assuming they make it difficult and/or time consuming enough to accomplish those tasks in the game so that it can't possibly happen on day 1), 3D Duck Racer lays an egg on the system in the form of a sneaky keylogger or rootkit, or even a rootkit to hide and protect a keylogger; all with the convenient functionality of uploading the captured passwords or whatever to the bad guys' servers each and every time the user logs back into the game to play and upload their high scores to compete with other Duck Racers online, or to "check for 3D Duck Racer game updates" (which are totally free of charge, of course  ).

And keep in mind, I'm not a hacker, a programmer, a script kiddie or anything close to that and I've never written a piece of malware in my life, yet I can come up with these ideas right here off the top of my head.  So if I, a non-programmer, can so easily think of creative ways to evade detection by automated tools like sandboxes and even many threat researchers, you know the bad guys can (and far more since they actually know the code/APIs etc.).

This is also a big reason to have something on your system that doesn't rely on signatures and sandboxes all the time to determine what's malicious, especially these days with how bad malware has gotten and how tricky it is.  Behavior based, signature-less detection is critical to thwart these kinds of complex attacks and that's the reason that Malwarebytes is moving in that direction more and more all the time, with nearly every new component we add to our protection in recent years being based on looking at what malware does rather than relying on signatures that can only find malware based on how its files look (meaning they can only detect something if its file looks like another piece of malware they've already seen before).

Anyway, I know this info was pretty basic/non-technical, but I hope you find it useful nonetheless.

Edited May 9, 2017 by exile360

[mattxd00]

Thanks for the explanation. I just really have a huge interest in software development particularly in malware, I think the methods each malware uses is interesting. I mean malware is kind of like an art in my opinion but limited to the point you cannot do everything you might want. I understand it's bad but I don't have an interest in it to profit or whatever, just general like the ways worms use to spread and we've seen many examples over the years. One that stands out(unsure if it's a worm) is the virus called Chernobyl which spread to exe files on the pc, wiped hard drives and overwrote the system bios, basically making the computer useless although this is not possible anymore because of technological advancements.

 

Another issue aswell is process injection. Since I found out about this years back I've always been conspicuous when banking online, always thinking that something might be watching waiting to steal my details and me not knowing. Is there a way to detect them? I've done malware analysis and I am quite interested in it however I found that rather than having my own vm lab setup it's more efficient to use online sandbox scanners since they are safer, faster and give pretty much the same result although the best setup would be a standalone pc isolated from the network where the malware would be ran, then analyses using tools.

I haven't had much experience with process hijack or injection but it's pretty easy to do for script kiddies now, although I haven't seen it in RATs, in Kali Linux metasploit features process injection and also allowing users to send a payload inside a word document or PDF.

 

And that's what scares me, I always think my PC is infected even when it's probably not but I have no way of detecting whether there has been a process injection or not. And since the code is inside like explorer.exe which launches at boot there would be no new startup entry for it. I don't think I'm being unreasonable here, if you have a ton of money saved up and some stuff head buys like random stuff on PayPal to waste all of it or god forbid tries to steal it, it's a very bad situation and I never want to be a victim in it.

[exile360]

There are ways to locate the loading points for process injections that load on startup.  Most, if not all of them, use one registry key or another.  Most of them are listed in MS Sysinternals Autoruns and you can see the DLLs loaded into a process using Process Explorer.  Of course, if it's malware it could be a bit more hidden (that whole rootkit thing again) which means you'd probably need some other tool like a rootkit scanner to detect it (something like GMER and the like).

As far as staying protected from that stuff, believe it or not basically every method of infection that you named (aside from the file infector/BIOS infector Chernobyl that you mentioned, which is a tactic not often used these days since there's no profit in destruction, which is why these days it's all about theft and extortion) is easily detected by our anti-exploit technology.  Malicious code/process injections and documents encoded with malicious scripts are things it specializes in, and it's very good at it (we detect new 0-day exploits all the time, even without any updates since our anti-exploit engine doesn't use signatures/databases as it's all behavior based).

But of course, with all that said, the primary way that most threats get in these days is via exploits (like infected documents you mentioned as well as browser exploits and exploits for plugins like Flash and Java).  The payloads change all the time (the malware that the exploit tries to download and execute to infect the system, assuming the exploit doesn't get stopped in its tracks) but the exploits themselves pretty much keep using the same basic methods, though they do occasionally put a new spin on things.  To my knowledge though, it's been quite sometime since we've had to do any major updates to our anti-exploit engine because of a new exploit technique we weren't already stopping.  The point is, if you stop the attack that early in the attack chain, then dealing with the fallout/payload becomes irrelevant because it never reaches your system.

It's good to be a little paranoid because that keeps you cautious enough to put in some effort towards keeping yourself safe online.  It really can be a scary place out there with all these malicious threats, especially now that so many of these malware producing groups are funded by big criminal enterprises, businesses and sometimes even governments.  They've often got virtually unlimited financial resources and malware is big business these days, usually accounting for losses in the millions and even billions each year.

Of course, social engineering is another thing to be cautious of.  Scam websites, spam emails, phishing and all that good stuff where they try to trick you into giving them some personal info and/or financial details.  But what it boils down to is that they're pretty much all thieves.  It definitely is art in a way and it's crazy sometimes seeing the kinds of clever tactics they come up with.  If you're truly interested in malware, and assuming you don't want to become one of the bad guys who uses malware for the purpose of theft/scams and whatnot, you might want to look into reverse engineering.  It's a very useful skill to have and if you're good enough at it, someone will probably hire you as a threat researcher  .  

So yeah, I must give the bad guys credit that they're often very intelligent and they do come up with some clever tactics that keep us on our toes, but morally I just can't stomach what malware does to people and their computers.  It really can ruin a person's life in any number of ways (financially, legally etc.).  I guess that's why I work for Malwarebytes, because I want to fight the good fight and try to help people stay safe out there.

[exile360]

By the way, you should check out our blog Malwarebytes Labs.  There's tons of great articles and info there, including some really in-depth malware/exploit analysis and reverse engineering.  I'm certain you'd find it fascinating  .

Edited May 9, 2017 by exile360

[mattxd00]

6 hours ago, exile360 said:

By the way, you should check out our blog Malwarebytes Labs.  There's tons of great articles and info there, including some really in-depth malware/exploit analysis and reverse engineering.  I'm certain you'd find it fascinating  .

Thanks, I've heard of reverse engineering however there were not many useful resources I could find online to help me learn it. From what I know, reverse engineering is taking for example a crypted stub that is encrypted and houses the payload, decrypting it and then having a look at it's source code to see what it actually does and for example, manipulating the payload so you somehow maybe pull information from the attacker. I believe cracked software is also made possible by reverse engineering.

 

Its a topic I am interested in but I have no idea how to start or where to learn it. Sure I have dotNetSharper or whatever it's called but that only decompiles .NET code not decrypts it.

[exile360]

Yeah, I'm not sure where you'd learn this sort of stuff.  I assume there must be communities out there where they discuss such things as advanced malware analysis and reverse engineering but I've honestly no idea where to find them as it's not something I'm involved in myself.

Anyway, I wish you well and I hope you stay safe out there.  And while there's certainly nothing wrong with tinkering with malware and the likes, I do hope you never decide to start creating threats of your own to sell and/or infect people with.  Malcoding, hacking, cracking/warez and other such endeavors can be slippery slopes where at first your intentions may be totally innocent, but one day in the future you might find yourself crossing lines that you never thought you would.  Just remember to keep your head, and especially your heart in the right place and you should be fine.