[Q] Detecting virtualisation

I think that it it not practically possible to detect reliably, using a piece of code, that the code is running inside a virtual machine.

But apparently there are ways to make a good guess - for example, by looking at the devices that are typical for certain VM environment (like S3 Trio64 video card in MS VPC), or virtual machine extensions installed in the guest OS.

This time I have two questions:

  1. Any other ways to detect that the code is running in a VM?
  2. Why malware tries to do that? It does, according to Sandi Hardmeier, a great spyware fighter and a MVP.
There's a reason I'm asking. I believe that VM technology will help a lot bypassing an endpoint security system in a targeted attack. Virtualisation is an interesting and welcome change in the world of information security - and hacking.
Published Fri, Mar 30 2007 4:20 by Slav
Filed under:

Comments

# re: [Q] Detecting virtualisation

Hi Slav,

My current Web site is www.ie-vista.com :)

Many malware simply won't install on a VM, rbot and sdbot family can tell if it is being installed in a VM.

It was suggested on a spyware list that you could detect a VM by calling WIN32_ComputerSystem and WIN32_BIOS.

Saturday, March 31, 2007 5:30 AM by sandi

# re: [Q] Detecting virtualisation

Thanks Sandi. It is clear that malware tries to detect VM. It's not completely clear - why? Is it a honeypot avoidance technique? If so, we may need smarter honeypots.

Some organisations consider VM environments as security threat. Client software of Webmoney, an alternative payment system used by many criminals, blocks electronic wallet if it detects VMWare.

So the big question is - is VM a security threat or it's good for security? Ironically, it's both.

Sunday, April 01, 2007 6:34 PM by Slav

# re: [Q] Detecting virtualisation

Hi slav

I wonder how malware would perform under application virtualisation? check out <http://www.thinstall.com/products/virtualization_suite.php>

Wednesday, April 04, 2007 9:05 PM by Nhon Yeung

# re: [Q] Detecting virtualisation

Interesting. I guess malware will be virtualised and can impact code within same Thinstall package. At least that is how it should work...

Friday, April 27, 2007 4:42 AM by Slav

# Virtually hopeless

I don&#39;t know if that&#39;s CIOs, or the press, or both. Recently Byte &amp; Switch, CMP Technology&#39;s

Monday, July 30, 2007 4:50 AM by Risque Management

Leave a Comment

(required) 
(required) 
(optional)
(required)