Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 





     АРХИВ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FYI: Malware Writers Add VM Detection Technology

http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf, на 
которую сылается Skoudis - там все хорошо описано.

>  --Malware Writers Add VM Detection Technology
> (20 November 2006)
> Malware creators have begun incorporating the ability to 
> detect virtual
> machines (VM) into their products.  A SANS Internet Storm Center (ISC)
> analyst reported that "three of 12 malware specimens recently captured
> in [their] honeypot refused to run in VMware."  The malware 
> writers are
> trying to prevent researchers from testing the malware in a safe
> setting.  The problem can be addressed either by patching the malware
> so it doesn't look for signs of VM environments, or by making changes
> to the VM environment that will trick the malware.
> http://isc.sans.org/diary.php?storyid=1871
> http://www.techweb.com/article/printableArticle.jhtml;?article
> ID=194700014&site_section=700027  
> [Editor's Note (Skoudis): In addition to mentioning the fine work of
> Lenny Zeltser, this article cites a presentation that Tom Liston and I
> gave at SANS FIRE in July 2006 on how to thwart VM detection.  In that
> presentation, Tom and I provide a list of about a dozen 
> undocumented VMX
> configuration file settings that we uncovered in our research 
> to defeat
> almost all current methods of VMware detection in the wild (The Red
> Pill, Jerry, etc).  Malware researchers can use the options covered in
> that presentation to dodge the current generation of VM-detecting
> malware.  Please note, though, that these options break all of those
> nifty VM tools functions, like drag-n-drop, shared files, and
> copy-and-paste.  On the positive side, most malware researchers don't
> need those functions when analyzing malware in VM guests.]


Copyright © Lexa Software, 1996-2009.