Index
> Feedback > Ban malware writers?Goto page Previous 1, 2, 3, 4 Next |
| Author |
|
|
revolution
Azu, why you misquote vid?
|
|||
18 Feb 2009, 12:04 |
|
|
revolution
Hey, good find, vid is a naughty boy!
|
|||
|
18 Feb 2009, 12:08 |
|
|
revolution
Azu wrote:
|
|||
|
18 Feb 2009, 12:09 |
|
|
Azu
revolution wrote:
Or is there some fundamental weakness that an infinite amount of ways can be derived from? |
|||
|
18 Feb 2009, 12:15 |
|
|
revolution
It's the fundamental thing. There are so many things that a VM would have to do to counter all possibilities that it just becomes too complex to solve in any practical way.
Last edited by revolution on 18 Feb 2009, 12:24; edited 1 time in total |
|||
|
18 Feb 2009, 12:19 |
|
|
Azu
Ah, damn.
I still think it makes it easier though. Even if it will never be perfect. It's going to detect at least some that wouldn't have otherwise been detected, right? As long as this isn't used in exclusion to other types of detection I mean. Last edited by Azu on 18 Feb 2009, 12:24; edited 1 time in total |
|||
|
18 Feb 2009, 12:24 |
|
|
vid
Now I am not sure how exactly do you think VMs help viruses. How?
BTW, detection whether you run in VM is quite easily detectable by the VM host  And it is pretty hard to detect whether you are running in VM without being detected doing so. Of course copy protections are "legal" and do such detection too, so it is bit harder. |
|||
|
18 Feb 2009, 12:24 |
|
|
revolution
vid wrote: Now I am not sure how exactly do you think VMs help viruses. How? |
|||
|
18 Feb 2009, 12:30 |
|
|
vid
I wasn't talking about host remaining hidden from guest, I was talking about host being able to detect when guest is trying tell whether it runs in VM. That is "one level less".
Any timing method is prone to be detected simply by guest doing too many VM-breaks in short time (it has to be done like this in order to prevent cache misses which would look like time consumed by VM break, and to multiply tiny time taken by host to handle virtualization to something mesureable). Quote: simulate contiguous real time what exactly do you mean by this? |
|||
|
18 Feb 2009, 12:39 |
|
|
revolution
vid wrote:
|
|||
|
18 Feb 2009, 12:43 |
|
|
vid
Quote: In a VM there are small but detectable "jumps" in real time. In "heavyweight" VMs maybe yes. Before going on in debate, I quess I will need answer to my question "Now I am not sure how exactly do you think VMs help viruses. How?" because I don't know which scenario are we talking about (virus as a host, AV as host, or what?) |
|||
|
18 Feb 2009, 13:13 |
|
|
revolution
The basic scenario is: Virus in a VM says "I'm in a VM so don't do a bad thing". Then later virus in a real machine says "I'm running for real, do the wild thing".
And the virus doesn't care what the host VM is, AV scanner, VPC, VMWare, Bochs, whatever, any VM will mean no bad behaviour. |
|||
|
18 Feb 2009, 13:17 |
|
|
vid
And that should be as a defense against AV which will be a VM host?
Making AV as a VM host sounds VERY hypothetical to me. Will the AV have custom lightweight VM host, or will it work as a part of something existing, like VMware or XEN? |
|||
|
18 Feb 2009, 13:26 |
|
|
revolution
Sure, many AVs have VM capabilities. Mostly software based, like Bochs. No great feat really. Debug your favourite AV and you will see it happening.
|
|||
|
18 Feb 2009, 13:29 |
|
|
Azu
revolution wrote:
|
|||
|
18 Feb 2009, 15:29 |
|
|
revolution
There are many interactions that a VM has a hard time to emulate completely. Too complex to explain here, there are many websites around explaining various methods of detection. Some methods are VERY hard to counteract, others quite easily, but all require some compromises in the VM and make it a lot more complex.
|
|||
|
18 Feb 2009, 15:40 |
|
|
bitRAKE
I was thinking more about using the VM for testing/improving the virus. It isn't a big chore to run a small network on a single PC with various guests. Any smart virus writer would try to increase the surface area of the virus - not the depth/complexity (no need to detect the VM).
(vid, if you want to share your fantasies in private - send me some pics sweety.) |
|||
|
18 Feb 2009, 16:36 |
|
|
Azu
bitRAKE wrote: I was thinking more about using the VM for testing/improving the virus. It isn't a big chore to run a small network on a single PC with various guests. Any smart virus writer would try to increase the surface area of the virus - not the depth/complexity (no need to detect the VM). |
|||
|
18 Feb 2009, 16:39 |
|
|
Borsuc
Azu wrote: If you mean things like WINE.. then no.  _________________ Previously known as The_Grey_Beast |
|||
|
14 Mar 2009, 18:13 |
|
| Goto page Previous 1, 2, 3, 4 Next < Last Thread | Next Thread > |
Forum Rules:
|