June 13th, 2005, 09:18 AM
VM Detection --> A New Way to Defeat Testbeds?
My roommate mentioned this to me about a week ago and I hadn't seen any mention of it here, so I thought I'd pots it.
Basically someone has created a small segment of code that allows the software to determine if it's running on a real computer or in virtual machine hardware such as VMWare or Virtual PC.
The article goes on to cover how to detect both instances of software, including the code to do it and an explanation of how to implement the code.
Both Virtual PC and VMWare allow you to install "add-in"s to accelerate emulation, allow drag-n-drop from your real desktop to your virtual desktop, and allow file sharing between your real machine and the virtual machine.
In order to accomplish this task, a communication mechanism between the virtual machine software and the virtual machine itself must exist.
This sort of interfacing is called a "backdoor interfacing", since, using a special/undocumented mechanism, certain commands can be carried and interpreted in a different manner (by the virtual machine software) unlike having them interpreted by the real machine.
Next, I'll be covering how you can tell whether your software is being executed using a real machine or a virtual machine software (covering both Virtual PC and VMWare).
What kind of problems does this create for user that create VM sandboxes and test beds. The malware can now trick the user and lie dormant. Will we now see malware that lies dormant in a VM but comes to life and spread quickly and damages much when running on the host OS? Has anyone seen any software yet that is implementing this code and is it something we have to look forward to in the future?
Anyways... what do ya think? Check out the full article at http://www.codeproject.com/system/Vm...asp?print=true
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".