本帖最后由 samlin01 于 2014-12-12 21:22 编辑
(转自http://blog.avira.com/vmcloak-create-virtual-machine-easy-way/)
We have been wrong.
In 2012 when we started the iTES project (a project which deals with running vulnerable parts of a computer system in virtual machines; find out more in this blog post) our basic assumption was that until 2014 malware will no longer detect virtual machines because they would be too common …
… and – in this we were correct – they are. You can basically find virtual machines:
•In companies running their internal servers as a VM for easier maintenance
•On Thin Client, where the end-users have simple terminals instead of “real” systems (for reasons of easier maintenance again)
•In clouds like the Amazon cloud where you can just “click your own system” within minutes
•As virtual appliances, simple systems which only have one job (like a network proxy). Easy to install.
However, due to our assumption we decided not to bother with the virtual machine detection.
That’s where we went wrong.
Now, at the end of 2014, about 20% of the malware out there still detects VMs. Especially the complicated-and-interesting malware does. Back when we started, we estimated that not more than a one-figure number would be able to do it by now!
Symantec released an article which covers that topic. Furthermore our own numbers show similar results (ours are a bit biased though: For the iTES project we filter out all the “boring” malware before we send the remaining samples to Cuckoo).
谷歌翻译:
我们错了。
在2012年的时候,我们开始了ITES项目(其中涉及运行在虚拟机中的计算机系统的易损零部件项目;找到更多的这篇博客),我们的基本假设是,直到2014年的恶意软件将不再检测虚拟机,因为他们将太常见的...
ITES
...以及 - 这一点,我们是正确的 - 他们是。你基本上可以找到虚拟机:
•在企业运行的内部服务器的虚拟机,便于维修
•在瘦客户机,其中终端用户有简单的终端,而不是“真实”系统(更容易维护的原因再次)
•在云像亚马逊云在那里你可以只是“点击自己的系统”在几分钟之内
•作为虚拟设备,其中只有一个任务(如网络代{过}{滤}理)的简单系统。易于安装。
但是,由于我们的假设,我们决定不打扰与虚拟机检测。
这就是我们出了错。
现在,在2014年底,约20%的恶意软件在那里仍然检测到虚拟机。尤其是复杂的 - 和 - 有趣的恶意软件一样。回来的时候,我们开始,我们估计,不超过一个数字的数量更是可以通过现在做到这一点!
赛门铁克发布了涵盖主题的文章。此外我们自己的数字显示了类似的结果(我们是有点偏,但:对于ITES项目,我们过滤掉所有的“无聊”的恶意软件之前,我们发送剩余样品杜鹃)。
Malware detects virtual machines just to annoy the antivirus vendorsOne way to classify samples in a virus lab is to run the suspicious sample in a VM and monitor its behavior. If it does attack the system, it’s malware – and that’s why malware is detecting whether or not it is running in a virtual machine and changes its own behavior accordingly. In the Avira Virus Lab we do not rely on a single classification method but combine several ones. So this is not really an issue.
But for our research project I wanted to observe the malicious behavior of even the trickiest malware in a virtual machine … a problem that obviously needs to be solved.
谷歌翻译:恶意软件检测虚拟机只是为了激怒杀毒厂商
在一个病毒实验室分类样本的一种方式是运行在虚拟机的可疑样品并监视它的行为。如果它攻击系统,它的恶意软件 - 这就是为什么恶意软件检测它是否运行在虚拟机中,并相应地改变自己的行为。在小红伞病毒实验室,我们不依赖于一个单一的分类方法,但结合几个的。所以这不是一个真正的问题。
但我们的研究项目,我想观察连最棘手的恶意软件的恶意行为在虚拟机......这显然是需要解决的一个问题。
VM Detection and a Paranoid FishThere are many ways to detect if your program is running in a VM. The most common ones are:
- Detect hardware configuration
- Network MAC address
- HD vendor Name
- BIOS vendor
- Video BIOS vendor
- Detect installed guest additions
- Detect specific registry keys
- Some malware detects a specific machine ID (for example based on a fingerprint on the user ID and the hardware being used)
These tricks are surprisingly simple and yet seem to be very effective.
Instead of writing a documentation on how to detect a VM I decided to add the identified tricks to a cool Open Source project: The Paranoid Fish (PaFish. If you are interested you can find my changes in the dev-chaos branch). For me as a programmer writing code (especially as simple and structured as required for PaFish) is like writing a documentation that executes and helps in the next step:
谷歌翻译:
VM检测和偏执鱼
有许多方法来检测,如果你的程序在虚拟机上运行。最常见的是:
•检测硬件配置
•网络MAC地址
•HD供应商名称
•BIOS供应商
•视频BIOS供应商
•检测安装的客户增加
•检测特定的注册表项
•某些恶意软件检测特定机器ID(例如基于对所述用户ID的指纹和所使用的硬件)
这些技巧是出奇的简单,但似乎是非常有效的。
而不是写在如何检测的VM文件,我决定所确定的招数添加到一个很酷的开源项目:(PaFish如果你有兴趣,你可以找到我的DEV-乱支的变化)偏执鱼。对我来说,作为一个程序员写代码(尤其是简单的,并根据需要对PaFish结构)是这样写的执行,并在接下来的步骤有助于一个文档:
VM CloakingThis step starts with hardware configuration to create a cloaked VM. You will have to do this before being able to install any operation system. After the OS is installed there will be other buttons to press: Registry settings and basic program configuration. Back in the “good old days” we had whole manuals on how to do it and configured the virtual machines manually; a quite boring and error prone task. Instead of writing another how-to we (Jurriaan Bremer and I) decided to fix it once-and-forever: We created a tool called VMCloak that can mass-produce ready-to-use cloaked VMs.
Just add your requirements to a configuration file, start the script, wait 2 coffees and you will have a dozen VMs.
谷歌翻译:VM伪装
这一步开始,硬件配置创建一个隐形VM。您将有能够安装任何操作系统之前做到这一点。安装操作系统后还会有其他的按钮按:注册表设置和基本程序配置。早在“好日子”,我们对如何做到这一点和手动配置虚拟机的整个手册;一个非常枯燥,容易出错的任务。而不是写另一如何做,我们(Jurriaan布雷默和我)决定修复它一次且永远:我们创建了一个名为VMCloak工具,可以大规模生产准备使用的隐形虚拟机。
只需添加您的要求的配置文件,启动脚本,等待2咖啡,你将有十几个虚拟机。
Please welcome VMCloakVMCloak will:
- Set up the virtual machine, including the appropriate hardware setup -like proper hardware ids, >50 GB of HD space (lesser is a sign for a VM), …
- Install the OS
- Set up networking
- Install applications
- Do some system config to cloak the machine
- …and it can install everything required for Cuckoo Sandbox
To give you a small glimpse of the very useful features VMCloak offers I’ll go into more detail concerning its dependencies (aka “automatically install programs”). A complete documentation can be found here.
When analyzing the behavior of a malicious sample you normally want some programs installed which then will be attacked by the malware. That can include old browsers, PDF readers, Flash players, you name it. Also, when doing a manual analysis, you want you default tools to view the running processes, system changes, etc.
Dependencies are small configuration snippets that allow VMCloak to automatically install programs after the OS has been set up. They define the filename of the setup file, which buttons have to be clicked to get through the installation and some additional information like flags, description, and even dependencies.
Without any kind of automation one would waste minutes to hours in order to click the next button.
谷歌翻译:
请欢迎VMCloak
VMCloak将:
•设置虚拟机,包括相应的硬件设置正确般的硬件ID,>50 GB硬盘空间(较小的是VM的标志),...
•安装OS
•设置网络
•安装应用程序
•做一些系统配置斗篷机
•...它可以安装所需的杜鹃沙盒的一切
为了给你一个小窥的非常实用的功能VMCloak提供我会去到有关它的依赖更详细(又名“自动安装程序”)。一个完整的文档可以在这里找到。
在分析恶意样本的行为,你通常需要一些程序安装,然后将恶意软件的攻击。这可以包括旧的浏览器,PDF阅读器,Flash播放,你的名字。此外,做一个人工分析的时候,你想你默认工具来查看正在运行的进程,系统的变化,等等。
依赖性小的配置片段,让后OS已经成立VMCloak自动安装程序。他们定义了设置文件,该按钮具有被点击以获得通过安装和类似的标记,说明以及甚至依赖一些附加信息的文件名。
没有任何一种自动化的人会浪费几分钟到几小时才能单击下一步按钮。
Test your skillzPaFish and VMCloak are Open Source and available for everyone. Especially VMCloak is still very young and there are lots of opportunities to test it and show your superior skillz:
- Add application packages (dependencies) for automatic program installation
- Add more cloaking (add PaFish VM detection followed by VMCloak cloaking, chess against yourself)
- Windows 7 installation or other – for programming admins
- Create virtual machines using VMWare, KVM, …
The opportunities are endless, so just go ahead.
TL;DR:
No need to ever create a virtual machine for malware analysis again. Use VMCloak.
For Science !
Thorsten Sick
谷歌翻译:测试你的skillz
PaFish和VMCloak都是开源的,可供大家。尤其是VMCloak仍然非常年轻,有很多机会来测试它,并显示你的上级的skillz:
•添加应用程序包(依赖)自动安装程序
•添加更多的伪装(添加PaFish VM检测之后VMCloak伪装,国际象棋对自己)
•Windows 7安装或其他 - 编程管理员
•创建使用VMWare,KVM虚拟机,...
机会是无限的,所以才先走。
TL; DR:
无需以后再创建恶意软件分析的虚拟机。使用VMCloak。
科学!
托尔斯滕病
这里给出文中所说的PaFish,cuckoo和VMCloak的地址,有兴趣的童鞋请自行下载
PaFish:https://github.com/a0rtega/pafish
VMCloak:http://vmcloak.org/
cuckoo:http://cuckoosandbox.org/
(以上地址均为原文链接!)
|