Anti-virtualization techniques

• 1. Malware analysis
  • 1.1. Static Analysis
  • 1.2. Dynamic Analysis
• 2. Anti-virtualization techniques
  • 2.1. Sleeping
  • 2.2. IP Geolocation
  • 2.3. Limited resources
  • 2.4. Domain information

1. Malware analysis

1.1. Static Analysis

Static Analysis is a process when a blue-teamer is looking at the code of the malware using disassemblers or decompilers like IDA, BinaryNinja or Ghidra.

1.2. Dynamic Analysis

Dynamic Analysis is performed by observing what happens when the suspicious file is executed on the system. It can be done using various tools such as Sysmon, ProcMon, Process Hacker or debuggers (WinDbg, OllyDbg, etc.). Most often dynamic analysis is perform using virtualized environment (sandbox).

Automated sandboxes are able to run an executable and check what it does on the system. Different sandboxes are placed in different parts of the network. For example, there might be a sandbox on a mail server used to analyse email attachments.

For a malware-developer the goal is to detect a virtualized environment and not to execute malicious staff on it. Various anti-virtualization techniques are used to detect VM presence.

2. Anti-virtualization techniques

2.1. Sleeping

Sandboxes are often limited to a time constraint to prevent the overallocation of resources. The sandbox might be able to run a PE file only for five minutes. Let's wait more than 5 minutes or calculate the Fibonacci sequence up to very big number.

NOTE: Developing your own sleep function (not using built-in one) is highly recommended. The built-in function might be altered by AV.

2.2. IP Geolocation

Sandboxes are often located off-premise, on 3rd-party AV provider's servers. If you know that the company is EU-only and you see that the IP belongs to San Francisco - this is likely VM.

NOTE: Be sure that the geo-IP domain is not blacklisted in the victim's network.

2.3. Limited resources

Observe system information. The common attributes to be checked:

• Amount of CPU cores and RAM installed (suspiciously small amount)
• MAC address and Network Adapter info (suspicious strings)
• BIOS/UEFI Version and information (suspicious strings)
• PC Hostname (suspicious name)
• Screen resolution (suspicious uncommon resolutions)

2.4. Domain information

Querying the AD domain information is very reliable technique because almost no sandboxes are joined in a domain. If the machine is not joined to a domain, it's safe to assume that it's VM. This technique of course cannot be used in a private not-corporate networks without AD domain. Some information to query:

• Machines
• Accounts
• Groups
• Domain Controllers
• DNS Servers