flat assembler
Message board for the users of flat assembler.

Index > Feedback > Ban malware writers?

Goto page Previous  1, 2, 3, 4  Next
Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
Azu, why you misquote vid?
Post 18 Feb 2009, 12:04
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
revolution wrote:
There are some viruses now that detect for VMs and adjust their behaviour accordingly.
Wouldn't that just be if the VM didn't work exactly like a real environment?


revolution wrote:
Azu, why you misquote vid?
Um.. I didn't? Click the quote button next to his post and read what he wrote. It's in size=1 tags.
Post 18 Feb 2009, 12:05
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
Hey, good find, vid is a naughty boy!
Post 18 Feb 2009, 12:08
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
Azu wrote:
revolution wrote:
There are some viruses now that detect for VMs and adjust their behaviour accordingly.
Wouldn't that just be if the VM didn't work exactly like a real environment?
Of course, VMs are not perfect. There are many ways to detect, no problem.
Post 18 Feb 2009, 12:09
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
revolution wrote:
Azu wrote:
revolution wrote:
There are some viruses now that detect for VMs and adjust their behaviour accordingly.
Wouldn't that just be if the VM didn't work exactly like a real environment?
Of course, VMs are not perfect. There are many ways to detect, no problem.
Won't they be fixed if viruses start using them though? Confused

Or is there some fundamental weakness that an infinite amount of ways can be derived from?
Post 18 Feb 2009, 12:15
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
It's the fundamental thing. There are so many things that a VM would have to do to counter all possibilities that it just becomes too complex to solve in any practical way.


Last edited by revolution on 18 Feb 2009, 12:24; edited 1 time in total
Post 18 Feb 2009, 12:19
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Ah, damn.


I still think it makes it easier though. Even if it will never be perfect. It's going to detect at least some that wouldn't have otherwise been detected, right? As long as this isn't used in exclusion to other types of detection I mean.


Last edited by Azu on 18 Feb 2009, 12:24; edited 1 time in total
Post 18 Feb 2009, 12:24
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Now I am not sure how exactly do you think VMs help viruses. How?

BTW, detection whether you run in VM is quite easily detectable by the VM host Wink And it is pretty hard to detect whether you are running in VM without being detected doing so. Of course copy protections are "legal" and do such detection too, so it is bit harder.
Post 18 Feb 2009, 12:24
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
vid wrote:
Now I am not sure how exactly do you think VMs help viruses. How?

BTW, detection whether you run in VM is quite easily detectable by the VM host Wink And it is pretty hard to detect whether you are running in VM without being detected doing so. Of course copy protections are "legal" and do such detection too, so it is bit harder.
It can be done, but the cost to do it is enormous. People want their VM to be practical to use. Once you start putting in code to simulate contiguous real time, RDTSC, NTP protocol, etc. (just a few of many detection mechanisms) then the VMs become very complex. And with complexity comes bugs and exploits. It is a never ending cycle.
Post 18 Feb 2009, 12:30
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
I wasn't talking about host remaining hidden from guest, I was talking about host being able to detect when guest is trying tell whether it runs in VM. That is "one level less".

Any timing method is prone to be detected simply by guest doing too many VM-breaks in short time (it has to be done like this in order to prevent cache misses which would look like time consumed by VM break, and to multiply tiny time taken by host to handle virtualization to something mesureable).

Quote:
simulate contiguous real time

what exactly do you mean by this?
Post 18 Feb 2009, 12:39
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
vid wrote:
Quote:
simulate contiguous real time

what exactly do you mean by this?
That is the clock at the bottom corner of your screen. In a VM there are small but detectable "jumps" in real time. Because the VM is running in a host OS so the host will use some time for itself and the VM stops, but real time still ticks on regardless.
Post 18 Feb 2009, 12:43
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Quote:
In a VM there are small but detectable "jumps" in real time.

In "heavyweight" VMs maybe yes. Before going on in debate, I quess I will need answer to my question "Now I am not sure how exactly do you think VMs help viruses. How?" because I don't know which scenario are we talking about (virus as a host, AV as host, or what?)
Post 18 Feb 2009, 13:13
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
The basic scenario is: Virus in a VM says "I'm in a VM so don't do a bad thing". Then later virus in a real machine says "I'm running for real, do the wild thing".

And the virus doesn't care what the host VM is, AV scanner, VPC, VMWare, Bochs, whatever, any VM will mean no bad behaviour.
Post 18 Feb 2009, 13:17
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
And that should be as a defense against AV which will be a VM host?

Making AV as a VM host sounds VERY hypothetical to me. Will the AV have custom lightweight VM host, or will it work as a part of something existing, like VMware or XEN?
Post 18 Feb 2009, 13:26
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
Sure, many AVs have VM capabilities. Mostly software based, like Bochs. No great feat really. Debug your favourite AV and you will see it happening.
Post 18 Feb 2009, 13:29
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
revolution wrote:
vid wrote:
Now I am not sure how exactly do you think VMs help viruses. How?

BTW, detection whether you run in VM is quite easily detectable by the VM host Wink And it is pretty hard to detect whether you are running in VM without being detected doing so. Of course copy protections are "legal" and do such detection too, so it is bit harder.
It can be done, but the cost to do it is enormous. People want their VM to be practical to use. Once you start putting in code to simulate contiguous real time, RDTSC, NTP protocol, etc. (just a few of many detection mechanisms) then the VMs become very complex. And with complexity comes bugs and exploits. It is a never ending cycle.
Would it really be to much overhead to emulate RDTSC? And why need to simulate contiguous real time.. why not just accept it running slower then host OS? Isn't the only point of skipping it ahead so it's in sync with the host OS that it's better that way for the human using it? When it's automatic mini VM ran by AV without user seeing it and it gets torn down shortly after, kind of pointless..
Post 18 Feb 2009, 15:29
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
There are many interactions that a VM has a hard time to emulate completely. Too complex to explain here, there are many websites around explaining various methods of detection. Some methods are VERY hard to counteract, others quite easily, but all require some compromises in the VM and make it a lot more complex.
Post 18 Feb 2009, 15:40
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2915
Location: [RSP+8*5]
bitRAKE
I was thinking more about using the VM for testing/improving the virus. It isn't a big chore to run a small network on a single PC with various guests. Any smart virus writer would try to increase the surface area of the virus - not the depth/complexity (no need to detect the VM).

(vid, if you want to share your fantasies in private - send me some pics sweety.)

_________________
¯\(°_o)/¯ unlicense.org
Post 18 Feb 2009, 16:36
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
bitRAKE wrote:
I was thinking more about using the VM for testing/improving the virus. It isn't a big chore to run a small network on a single PC with various guests. Any smart virus writer would try to increase the surface area of the virus - not the depth/complexity (no need to detect the VM).
That's what I thought you meant when I made my first reply, but then I thought I assumed wrong when everyone started talking about anti virus lol..
Post 18 Feb 2009, 16:39
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Azu wrote:
If you mean things like WINE.. then no.
Wine Is Not an Emulator Razz

_________________
Previously known as The_Grey_Beast
Post 14 Mar 2009, 18:13
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.