查看: 3917|回复: 9
收起左侧

[资讯] VMCloak – Create a Virtual Machine the Easy Way

[复制链接]
samlin01
发表于 2014-12-12 21:21:11 | 显示全部楼层 |阅读模式
本帖最后由 samlin01 于 2014-12-12 21:22 编辑

(转自http://blog.avira.com/vmcloak-create-virtual-machine-easy-way/

We have been wrong.

In 2012 when we started the iTES project (a project which deals with running vulnerable parts of a computer system in virtual machines; find out more in this blog post) our basic assumption was that until 2014 malware will no longer detect virtual machines because they would be too common …


… and – in this we were correct – they are. You can basically find virtual machines:
•In companies running their internal servers as a VM for easier maintenance
•On Thin Client, where the end-users have simple terminals instead of “real” systems (for reasons of easier maintenance again)
•In clouds like the Amazon cloud where you can just “click your own system” within minutes
•As virtual appliances, simple systems which only have one job (like a network proxy). Easy to install.

However, due to our assumption we decided not to bother with the virtual machine detection.

That’s where we went wrong.

Now, at the end of 2014, about 20% of the malware out there still detects VMs. Especially the complicated-and-interesting malware does. Back when we started, we estimated that not more than a one-figure number would be able to do it by now!

Symantec released an article which covers that topic. Furthermore our own numbers show similar results (ours are a bit biased though: For the iTES project we filter out all the “boring” malware before we send the remaining samples to Cuckoo).
谷歌翻译:

我们错了。

在2012年的时候,我们开始了ITES项目(其中涉及运行在虚拟机中的计算机系统的易损零部件项目;找到更多的这篇博客),我们的基本假设是,直到2014年的恶意软件将不再检测虚拟机,因为他们将太常见的...
ITES

...以及 - 这一点,我们是正确的 - 他们是。你基本上可以找到虚拟机:
•在企业运行的内部服务器的虚拟机,便于维修
•在瘦客户机,其中终端用户有简单的终端,而不是“真实”系统(更容易维护的原因再次)
•在云像亚马逊云在那里你可以只是“点击自己的系统”在几分钟之内
•作为虚拟设备,其中只有一个任务(如网络代{过}{滤}理)的简单系统。易于安装。

但是,由于我们的假设,我们决定不打扰与虚拟机检测。

这就是我们出了错。

现在,在2014年底,约20%的恶意软件在那里仍然检测到虚拟机。尤其是复杂的 - 和 - 有趣的恶意软件一样。回来的时候,我们开始,我们估计,不超过一个数字的数量更是可以通过现在做到这一点!

赛门铁克发布了涵盖主题的文章。此外我们自己的数字显示了类似的结果(我们是有点偏,但:对于ITES项目,我们过滤掉所有的“无聊”的恶意软件之前,我们发送剩余样品杜鹃)。

Malware detects virtual machines just to annoy the antivirus vendorsOne way to classify samples in a virus lab is to run the suspicious sample in a VM and monitor its behavior. If it does attack the system, it’s malware – and that’s why malware is detecting whether or not it is running in a virtual machine and changes its own behavior accordingly. In the Avira Virus Lab we do not rely on a single classification method but combine several ones. So this is not really an issue.
But for our research project I wanted to observe the malicious behavior of even the trickiest malware in a virtual machine … a problem that obviously needs to be solved.
谷歌翻译:恶意软件检测虚拟机只是为了激怒杀毒厂商

在一个病毒实验室分类样本的一种方式是运行在虚拟机的可疑样品并监视它的行为。如果它攻击系统,它的恶意软件 - 这就是为什么恶意软件检测它是否运行在虚拟机中,并相应地改变自己的行为。在小红伞病毒实验室,我们不依赖于一个单一的分类方法,但结合几个的。所以这不是一个真正的问题。

但我们的研究项目,我想观察连最棘手的恶意软件的恶意行为在虚拟机......这显然是需要解决的一个问题。

VM Detection and a Paranoid FishThere are many ways to detect if your program is running in a VM. The most common ones are:
  • Detect hardware configuration
  • Network MAC address
  • HD vendor Name
  • BIOS vendor
  • Video BIOS vendor
  • Detect installed guest additions
  • Detect specific registry keys
  • Some malware detects a specific machine ID (for example based on a fingerprint on the user ID and the hardware being used)
These tricks are surprisingly simple and yet seem to be very effective.
Instead of writing a documentation on how to detect a VM I decided to add the identified tricks to a cool Open Source project: The Paranoid Fish (PaFish. If you are interested you can find my changes in the dev-chaos branch). For me as a programmer writing code (especially as simple and structured as required for PaFish) is like writing a documentation that executes and helps in the next step:

谷歌翻译:
VM检测和偏执鱼

有许多方法来检测,如果你的程序在虚拟机上运行。最常见的是:
•检测硬件配置
•网络MAC地址
•HD供应商名称
•BIOS供应商
•视频BIOS供应商
•检测安装的客户增加
•检测特定的注册表项
•某些恶意软件检测特定机器ID(例如基于对所述用户ID的指纹和所使用的硬件)

这些技巧是出奇的简单,但似乎是非常有效的。

而不是写在如何检测的VM文件,我决定所确定的招数添加到一个很酷的开源项目:(PaFish如果你有兴趣,你可以找到我的DEV-乱支的变化)偏执鱼。对我来说,作为一个程序员写代码(尤其是简单的,并根据需要对PaFish结构)是这样写的执行,并在接下来的步骤有助于一个文档:

VM CloakingThis step starts with hardware configuration to create a cloaked VM. You will have to do this before being able to install any operation system. After the OS is installed there will be other buttons to press: Registry settings and basic program configuration. Back in the “good old days” we had whole manuals on how to do it and configured the virtual machines manually; a quite boring and error prone task. Instead of writing another how-to we (Jurriaan Bremer and I) decided to fix it once-and-forever: We created a tool called VMCloak that can mass-produce ready-to-use cloaked VMs.
Just add your requirements to a configuration file, start the script, wait 2 coffees and you will have a dozen VMs.


谷歌翻译:VM伪装

这一步开始,硬件配置创建一个隐形VM。您将有能够安装任何操作系统之前做到这一点。安装操作系统后还会有其他的按钮按:注册表设置和基本程序配置。早在“好日子”,我们对如何做到这一点和手动配置虚拟机的整个手册;一个非常枯燥,容易出错的任务。而不是写另一如何做,我们(Jurriaan布雷默和我)决定修复它一次且永远:我们创建了一个名为VMCloak工具,可以大规模生产准备使用的隐形虚拟机。

只需添加您的要求的配置文件,启动脚本,等待2咖啡,你将有十几个虚拟机。







Please welcome VMCloakVMCloak will:
  • Set up the virtual machine, including the appropriate hardware setup -like proper hardware ids, >50 GB of HD space (lesser is a sign for a VM), …
  • Install the OS
  • Set up networking
  • Install applications
  • Do some system config to cloak the machine
  • …and it can install everything required for Cuckoo Sandbox
To give you a small glimpse of the very useful features VMCloak offers I’ll go into more detail concerning its dependencies (aka “automatically install programs”). A complete documentation can be found here.
When analyzing the behavior of a malicious sample you normally want some programs installed which then will be attacked by the malware. That can include old browsers, PDF readers, Flash players, you name it. Also, when doing a manual analysis, you want you default tools to view the running processes, system changes, etc.
Dependencies are small configuration snippets that allow VMCloak to automatically install programs after the OS has been set up. They define the filename of the setup file, which buttons have to be clicked to get through the installation and some additional information like flags, description, and even dependencies.
Without any kind of automation one would waste minutes to hours in order to click the next button.

谷歌翻译:
请欢迎VMCloak

VMCloak将:
•设置虚拟机,包括相应的硬件设置正确般的硬件ID,>50 GB硬盘空间(较小的是VM的标志),...
•安装OS
•设置网络
•安装应用程序
•做一些系统配置斗篷机
•...它可以安装所需的杜鹃沙盒的一切

为了给你一个小窥的非常实用的功能VMCloak提供我会去到有关它的依赖更详细(又名“自动安装程序”)。一个完整的文档可以在这里找到。

在分析恶意样本的行为,你通常需要一些程序安装,然后将恶意软件的攻击。这可以包括旧的浏览器,PDF阅读器,Flash播放,你的名字。此外,做一个人工分析的时候,你想你默认工具来查看正在运行的进程,系统的变化,等等。

依赖性小的配置片段,让后OS已经成立VMCloak自动安装程序。他们定义了设置文件,该按钮具有被点击以获得通过安装和类似的标记,说明以及甚至依赖一些附加信息的文件名。

没有任何一种自动化的人会浪费几分钟到几小时才能单击下一步按钮。


Test your skillzPaFish and VMCloak are Open Source and available for everyone. Especially VMCloak is still very young and there are lots of opportunities to test it and show your superior skillz:
  • Add application packages (dependencies) for automatic program installation
  • Add more cloaking (add PaFish VM detection followed by VMCloak cloaking, chess against yourself)
  • Windows 7 installation or other – for programming admins
  • Create virtual machines using VMWare, KVM, …
The opportunities are endless, so just go ahead.
TL;DR:
No need to ever create a virtual machine for malware analysis again. Use VMCloak.

For Science !
Thorsten Sick

谷歌翻译:测试你的skillz

PaFish和VMCloak都是开源的,可供大家。尤其是VMCloak仍然非常年轻,有很多机会来测试它,并显示你的上级的skillz:
•添加应用程序包(依赖)自动安装程序
•添加更多的伪装(添加PaFish VM检测之后VMCloak伪装,国际象棋对自己)
•Windows 7安装或其他 - 编程管理员
•创建使用VMWare,KVM虚拟机,...

机会是无限的,所以才先走。

TL; DR:
无需以后再创建恶意软件分析的虚拟机。使用VMCloak。

科学!
托尔斯滕病

这里给出文中所说的PaFish,cuckooVMCloak的地址,有兴趣的童鞋请自行下载
PaFishhttps://github.com/a0rtega/pafish
VMCloakhttp://vmcloak.org/
cuckoohttp://cuckoosandbox.org/
(以上地址均为原文链接!)



本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
诸葛亮
发表于 2014-12-12 21:29:56 | 显示全部楼层
以上分析沙盘强大是强大,可惜俺是小白,不会用啊
samlin01
 楼主| 发表于 2014-12-12 21:33:10 | 显示全部楼层
诸葛亮 发表于 2014-12-12 21:29
以上分析沙盘强大是强大,可惜俺是小白,不会用啊

你前段时间测APC不就是用沙盘的么
诸葛亮
发表于 2014-12-12 21:38:08 | 显示全部楼层
samlin01 发表于 2014-12-12 21:33
你前段时间测APC不就是用沙盘的么

上面的沙盘和sandboxie可不一样,sandboxie安装就可用,易上手,上面的那几个我下过那个布谷鸟沙箱,是一个压缩包,里面一堆文件,俺是小白完全不知道怎么用,估计能用上面几个的都是大神。
samlin01
 楼主| 发表于 2014-12-12 21:53:10 | 显示全部楼层
诸葛亮 发表于 2014-12-12 21:38
上面的沙盘和sandboxie可不一样,sandboxie安装就可用,易上手,上面的那几个我下过那个布谷鸟沙箱,是一 ...

那个布谷鸟沙箱有没有中文?还是全英文的?
诸葛亮
发表于 2014-12-12 22:04:45 | 显示全部楼层
samlin01 发表于 2014-12-12 21:53
那个布谷鸟沙箱有没有中文?还是全英文的?

应该没有吧,俺不知道怎么用,也就不知道是否支持中文
天蓝色的忧伤
发表于 2014-12-13 10:10:19 来自手机 | 显示全部楼层
诸葛亮 发表于 2014-12-12 22:04
应该没有吧,俺不知道怎么用,也就不知道是否支持中文

你只要英语八级考过就看懂了……
aaa839
发表于 2014-12-13 11:30:43 | 显示全部楼层
本帖最后由 aaa839 于 2014-12-13 11:35 编辑
诸葛亮 发表于 2014-12-12 21:38
上面的沙盘和sandboxie可不一样,sandboxie安装就可用,易上手,上面的那几个我下过那个布谷鸟沙箱,是一 ...


那個是FOR病毒分析人員專用,不是FOR家用或者普通使用者
而且Cuckoo未來是加入至APC的雲端內
samlin01
 楼主| 发表于 2014-12-13 21:59:55 | 显示全部楼层
aaa839 发表于 2014-12-13 11:30
那個是FOR病毒分析人員專用,不是FOR家用或者普通使用者
而且Cuckoo未來是加入至APC的雲端內

现在cuckoo还没加入APC么?
aaa839
发表于 2014-12-14 04:25:24 | 显示全部楼层
samlin01 发表于 2014-12-13 21:59
现在cuckoo还没加入APC么?

沒那麼快,就算要加也要為APC再增設新的設備以及測試等程序
所以慢慢等
不過Cuckoo現時是於APL內為病毒分析實驗人員分析工具之一
所以不用太擔心
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-11-24 10:33 , Processed in 0.138341 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表