Malware vs Virtualization The endless cat and mouse play

aurelien.wail.ly/publications/hip-2013-slides.html

aurelien.wail.ly/publications/hip-2013-slides.html

Plan

Virtualization

Virtualization usages

Bright side

Dark Side

Mainly for testing purposes!

Malware

On the bright side

Malwares may detect virtualized environments

On the bright side

Malwares may detect virtualized environments

blockdiag-modify-behavior.png

On the dark side

Games may detect virtualized environments

On the dark side

Games may detect virtualized environments

blockdiag-cheat.png blockdiag-cheat-vmm.png

Who is leading ?

How to detect Virtualized environments ?

Is it easier to hide or to detect ?

Targeted escape

Sandbox environments have to

Demo Cuckoo

cuckoo-first-dll.png
Cuckoo

Demo Cuckoo

cuckoo-first-dll-zoom.png
Cuckoo zoom

Dark wizard

are-you-wizard.jpg
Meh :)

Going deeper

CPU overview

Each processor have its own IDT

Redpill

Table 1. Location differences
Physical Virtual

0x80000000

0xc0000000


[2004, J.Rutkowska]

Processor features

CPU Informations

Virtualization overhead

VM Entry example

blockdiag-overhead.png

Translation Lookaside Buffer

tlb-intro.png

Translation Lookaside Buffer

TLB detection

tlb-full.png

TLB detection

tlb-full-time.png

TLB detection

tlb-full-vmm.png

TLB detection

tlb-full-time-miss.png

How to benchmark

Processor facilities

Integrated instructions

Not very accurate


[http://download.intel.com/embedded/software/IA/324264.pdf]

High precision Timers

Poor compatibility

External Timers

Rely on external protocol

No reference

Ratio

ratio-nop-cpuid.png

Discrepancies

Processors does not produce expected behavior

Integrated facilities

Démo

WIN

Baremetal

dad@gambas ~/Projets/DetectHypervisor % ./detect2
000000: 50 65 6e 74                                      Pent
000000: 69 75 6d 28                                      ium(
000000: 52 29 20 44                                      R) D
000000: 75 61 6c 2d                                      ual-
[+] IDT base: 819da000
[+] SIDT[5] : 0x81
[+] SIDT[5] : 0x81
cpuid 1 ecx: 0c00e3bd bit:0
MSW: 8005003b
Ratio: 207.865799

VWare Player

dad@debian:~$ ./detect2
000000: 50 65 6e 74                                      Pent
000000: 69 75 6d 28                                      ium(
000000: 52 29 20 44                                      R) D
000000: 75 61 6c 2d                                      ual-
[+] IDT base: 8172d000
[+] SIDT[5] : 0x81
[+] SIDT[5] : 0x81
cpuid 1 ecx: 8c202201 bit:1
MSW: 8005003b
Ratio: 1588.099243

ESXi

ubuntu@ubuntu:~$ ./detect2
000000: 49 6e 74 65                                      Inte
000000: 6c 28 52 29                                      l(R)
000000: 20 58 65 6f                                       Xeo
000000: 6e 28 52 29                                      n(R)
[+] IDT base: 81dd9000
[+] SIDT[5] : 0x81
[+] SIDT[5] : 0x81
cpuid 1 ecx: 82982203 bit:1
MSW: 8005003b
Ratio: 615.849609

Thanks Pascal!

Qemu

root@debian:~# ./detect2
000000: 51 45 4d 55                                      QEMU
000000: 20 56 69 72                                       Vir
000000: 74 75 61 6c                                      tual
000000: 20 43 50 55                                       CPU
[+] IDT base: 8172d000
[+] SIDT[5] : 0x81
[+] SIDT[5] : 0x81
cpuid 1 ecx: 80802001 bit:1
MSW: cccc003b
Ratio: 3.352355

KVM

root@debby:~# ./detect2
000000: 51 45 4d 55                                      QEMU
000000: 20 56 69 72                                       Vir
000000: 74 75 61 6c                                      tual
000000: 20 43 50 55                                       CPU
[+] IDT base: 81738000
[+] SIDT[5] : 0x81
[+] SIDT[5] : 0x81
cpuid 1 ecx: 80802001 bit:1
MSW: 8005003b
Ratio: 901.177551

Xen

root@Xenny:~# ./detect2
000000: 49 6e 74 65                                      Inte
000000: 6c 28 52 29                                      l(R)
000000: 20 58 65 6f                                       Xeo
000000: 6e 28 52 29                                      n(R)
[+] IDT base: 8172d000
[+] SIDT[5] : 0x81
[+] SIDT[5] : 0x81
cpuid 1 ecx: 81b82221 bit:1
MSW: 8005003b
Ratio: 681.817383

Thanks Alex!

P. Ferrie: status

in progress

Formalization

VM detection categories


[T.Garfinkel]

How to find discrepancies

intel-wont-fix.png


[T.Raffetserder]

What about using network


[X.Chen, and M.Lindorfer]

Automatization

20 000 in few hours

gen-red-pills.png

Are malwares using detection ?

detect-comp-env.png

Shark avion

velociraptor-riding-a-shark.jpg
Good catch, send it to me :)

Hiding

Anti-detection

Least virtualization


[A.Nguyen and E.Keller]

Going deeper

Physical virtualization

Example: Barebox

Patching defects

Awesome part: Free code available! (!Ether)

New architectures

Virtualize without Hypervisors

Protection

Slow CPUs

Behaviors

Calling thousands of VMEXITs is doubious


…Set up a threshold, and hide VMM when hit    

Intel Haswell

Less VMEXITs

Roadmap

toward hypervisor into the CPU

Counter counter measure

Nether

Detect ether!

PDF

Conclusion

Merci!