Jump to content

Recommended Posts

I've lately been hearing of a lot of malware that is able to detect if it is running inside of a VM and lay dormant as a result. This makes me wonder... would it be possible to spoof certain processes to trick the host computer into thinking it's running inside of a VM, as another layer of pre-execution defense? And if so, can anyone think of problems that might occur with this?

Link to post
Share on other sites
  • Staff

Yes, in fact some security products already do this, both in passive ways by entering VM related data/devices in the registry as well as active ways by loading processes that make it appear that the system is running inside a VM.  Malwarebytes does not currently do this, however there are also threats that will behave the same if they see Malwarebytes on the system because they want to avoid being detected by its superior behavior based protection (especially components like the anti-exploit technology built into it).

I do not know if Malwarebytes will implement any VM simulation features to help prevent such threats from executing, however I will suggest it to them.

Link to post
Share on other sites

On the subject of compatibility and complications, though...

I think there might also be some legitimate software that might run incorrectly in VMs, and be designed in such a way to produce errors if you try to run or install it even on a host system spoofing as a VM, but I can't name any specific examples, nor have I personally encountered any such software in my memory. As such, there should probably be a way to whitelist those specific programs and somehow hide the spoofed processes and registry keys from them for the sake of compatibility. That is primarily a hypothetical problem until proven otherwise however.

Alternatively, in the field of Malware research... there should also be a way to trick Malware inside of an actual VM into thinking it's not actually in a VM, on a per-process basis, that way its behavior can be more easily observed... which really would involve the same mechanism of whitelisting programs for compatibility with spoofed VMs. (I'm surprised that Malwarebytes doesn't have an official toolkit for researching Malware in the field.)

Final note:
The trick of using Registry Keys to spoof the machine's status as a VM reminds me a lot of the Wine situation... Certain Microsoft applications will refuse to automatically update (and some others will refuse to function at all) if they detect any registry keys that may indicate that you are running them on a Linux-based system through Wine, instead of on a real Windows system. If I recall correctly, then this list includes, but is not limited to; Microsoft Office, Windows Update, Windows Defender, anything acquired through the Windows Store, and even the Windows Store itself. Ouch...

Link to post
Share on other sites

On that note, @exile360:
I think Malwarebytes should have a built-in Watchdog service that would automatically audit any unknown processes which specifically query for Malwarebytes' presence on the system, or any unknown processes which specifically query for any signs that they are running in a VM. This way, any potential threats which lie dormant can still be detected, and thus actively monitored if they are truly unknown, and immediately acted upon if they are actively blacklisted as known threats.

In addition, Malwarebytes should also log anomalous spikes in overall system resource activity or utilization. Not only could this be used to detect threats that are somehow hidden from the rest of the system (for example, cryptojackers), but it could also even be used as a diagnostic aid, as sudden spikes in activity can often be early warning signs of failing hardware.

Link to post
Share on other sites
  • Staff

I don't know of any legitimate software that refuses to run inside a VM.  I've been running my systems with passive VM protection for years now (via registry keys etc.) and have never encountered any problems with any software refusing to run or behaving differently as a result.  I don't think any legitimate developer would deliberately sabotage their application inside VMs as there would be nothing to gain from doing so.  On the other hand, Microsoft has a clear incentive to try and curb the operation of their software on Linux since that is a competing operating system.  As for Research, they use other methods besides VMs to research malware.  They use live machines and honeypots for hunting threats and exploits and they have test systems set up for automatically detonating and analyzing new/unknown threats as well.

I guess something like a watchdog service would be possible, but it would probably slow things down a lot and be quite resource intensive for negligible gains in detection.  The current behavioral and heuristics techniques that Malwarebytes uses are pretty effective at detecting new and unknown threats and the Research team is always looking at how malware behaves to develop new techniques for trapping and detecting it based on its behavior.  Besides, most modern threats try to remain inconspicuous so using a lot of system resources would be the last thing they'd try to do in most cases, as that would reveal their presence pretty quickly.  On the other hand, resource intensive tasks like games and graphical editing software tend to be the most resource intensive types of applications, and I don't think anyone would want a security application that starts raising alarms every time they run a game or try to edit an image or video as that would be quite disruptive.  Besides, there are already applications designed for monitoring resources and application resource usage in real-time so I don't think this functionality would add much to what Malwarebytes is already doing.

Link to post
Share on other sites

So no system resource activity logging, then; the two things that came most to mind when I suggested that were ransomware (which often searches the filesystem for restore points, shadow copies, specific folders, etc) and cryptojackers. But yeah, you actually bring up a good point. No system resource logging.

<-=-=-=-=-=-=-=-=-=-=-=-=-=->

As for the Watchdog thing... intercepting any queries regarding Malwarebytes' presence on a system (or the presence of VM indicators) doesn't seem like it would be that resource-intensive. I guess the constant monitoring of suspicious processes, sure... but merely auditing any accesses to registry keys and folders that belong to Malwarebytes?
I guess it could be made an optional feature, with a warning saying that it could prove resource intensive, and that its usefulness might prove limited.

WARNING: HUGE POST FOLLOWS.

Spoiler

 

And speaking of virtualization spoofing, I wonder what else could also be spoofed to discourage malware executing on a system. There's plenty of other Anti-Malware solutions that are pretty intelligent and might also prompt Malware to go into hiding mode, so spoofing those registry keys as well could be fun~

And not only that, but if those spoofed keys for other Anti-Malware/Anti-Virus products are modified or deleted by an unauthorized program, that in itself could be a detection mechanism. Plus, you could use that to automatically warn other Anti-Malware vendors that their software is specifically being targeted by a new zero-day threat! Again though, this would probably fall under the purview of the Watchdog thing, due to it requiring 24/7 monitoring and being potentially resource intensive... and hence optional.

If the MBAM team does consider the concept, and wants to come up with a creative name for it... I'd nominate that it be called WatchFox, instead of Watchdog, for a few reasons:

Spoiler
  1. Foxes are tricksters, being very clever and sneaky.
  2. Foxes are not dogs, and should not be treated the same way. In fact, they are actually a bit closer to cats in the way they evolved. 
  3. Foxes are very good at drawing attention, especially with the sounds they make (don't take my word for it, look it up!), and the WatchFox will definitely yelp in the direction of an AV provider if it smells trouble.
  4. Foxes are not for everyone. Very high-maintenance animals, after all. Oddly fitting for a very optional feature which may not actually provide many new detections.
  5. Watchdog is actually very generic, and Fox rhymes with Box.

As a funny sidenote, watchfox.mod would also happen to be an 8.3 filename. Other possible names for the WatchFox module could include, but should certainly not be limited to:

Spoiler

 

  1. RegSpoof.mod
  2. HiveMaze.mod
  3. RegDecoy.mod
  4. HiveBait.mod
  5. mbamaroq.mod (I'll record myself laughing hysterically if this one actually gets used)
  6. ammyMBAM.mod
  7. FoxAlert.mod

 

All of these filenames could even be used on a live system, randomly swapped in and out so that they themselves can avoid detection by malware. And yes, there's even room for another Easter Egg in there, if anyone on here is familiar with the file formats used in old-school Amiga tunes. If you can somehow squeeze an MBAM module inside of a (still playable) modtracker file, I'll be mighty impressed.

 

Whew... I think I'm gonna have to take a break after writing all that...

Link to post
Share on other sites
  • Staff

Malwarebytes already does real-time monitoring for ransomware activity.  That's the entire purpose and function of the Ransomware Protection component so that's already covered, at least for ransomware.

With regards to malware looking for other security software, that's a tough one because legit AVs do the same exact thing to check for existing installations of incompatible software from other vendors (to prevent installing 2 AVs on the same system).  Malwarebytes does already check for threats that attempt to block security products (not just Malwarebytes) from running and detects and removes the registry entries that are used for this purpose (IFEO keys, DisallowRun etc.).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.