Ban malware writers?

Index > Feedback > Ban malware writers?

Goto page Previous 1, 2, 3, 4 Next

Author

Thread

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system

revolution

Azu, why you misquote vid?

18 Feb 2009, 12:04

Azu

Joined: 16 Dec 2008
Posts: 1159

Azu

revolution wrote:

There are some viruses now that detect for VMs and adjust their behaviour accordingly.

Wouldn't that just be if the VM didn't work exactly like a real environment?

revolution wrote:

Azu, why you misquote vid?

Um.. I didn't? Click the quote button next to his post and read what he wrote. It's in size=1 tags.

18 Feb 2009, 12:05

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system

revolution

Hey, good find, vid is a naughty boy!

18 Feb 2009, 12:08

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system

revolution

Azu wrote:

revolution wrote:
There are some viruses now that detect for VMs and adjust their behaviour accordingly.
Wouldn't that just be if the VM didn't work exactly like a real environment?

Of course, VMs are not perfect. There are many ways to detect, no problem.

18 Feb 2009, 12:09

Azu

Joined: 16 Dec 2008
Posts: 1159

Azu

revolution wrote:

Azu wrote:

revolution wrote:
There are some viruses now that detect for VMs and adjust their behaviour accordingly.
Wouldn't that just be if the VM didn't work exactly like a real environment?
Of course, VMs are not perfect. There are many ways to detect, no problem.

Won't they be fixed if viruses start using them though? Confused

Or is there some fundamental weakness that an infinite amount of ways can be derived from?

18 Feb 2009, 12:15

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system

revolution

It's the fundamental thing. There are so many things that a VM would have to do to counter all possibilities that it just becomes too complex to solve in any practical way.

Last edited by revolution on 18 Feb 2009, 12:24; edited 1 time in total

18 Feb 2009, 12:19

Azu

Joined: 16 Dec 2008
Posts: 1159

Azu

Ah, damn.

I still think it makes it easier though. Even if it will never be perfect. It's going to detect at least some that wouldn't have otherwise been detected, right? As long as this isn't used in exclusion to other types of detection I mean.

Last edited by Azu on 18 Feb 2009, 12:24; edited 1 time in total

18 Feb 2009, 12:24

vid
Verbosity in development

Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia

vid

Now I am not sure how exactly do you think VMs help viruses. How?

BTW, detection whether you run in VM is quite easily detectable by the VM host Wink

And it is pretty hard to detect whether you are running in VM without being detected doing so. Of course copy protections are "legal" and do such detection too, so it is bit harder.

18 Feb 2009, 12:24

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system

revolution

vid wrote:

Now I am not sure how exactly do you think VMs help viruses. How?

BTW, detection whether you run in VM is quite easily detectable by the VM host And it is pretty hard to detect whether you are running in VM without being detected doing so. Of course copy protections are "legal" and do such detection too, so it is bit harder.

It can be done, but the cost to do it is enormous. People want their VM to be practical to use. Once you start putting in code to simulate contiguous real time, RDTSC, NTP protocol, etc. (just a few of many detection mechanisms) then the VMs become very complex. And with complexity comes bugs and exploits. It is a never ending cycle.

18 Feb 2009, 12:30

vid
Verbosity in development

Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia

vid

I wasn't talking about host remaining hidden from guest, I was talking about host being able to detect when guest is trying tell whether it runs in VM. That is "one level less".

Any timing method is prone to be detected simply by guest doing too many VM-breaks in short time (it has to be done like this in order to prevent cache misses which would look like time consumed by VM break, and to multiply tiny time taken by host to handle virtualization to something mesureable).

Quote:

simulate contiguous real time

what exactly do you mean by this?

18 Feb 2009, 12:39

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system

revolution

vid wrote:

Quote:
simulate contiguous real time

what exactly do you mean by this?

That is the clock at the bottom corner of your screen. In a VM there are small but detectable "jumps" in real time. Because the VM is running in a host OS so the host will use some time for itself and the VM stops, but real time still ticks on regardless.

18 Feb 2009, 12:43

vid
Verbosity in development

Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia

vid

Quote:

In a VM there are small but detectable "jumps" in real time.

In "heavyweight" VMs maybe yes. Before going on in debate, I quess I will need answer to my question "Now I am not sure how exactly do you think VMs help viruses. How?" because I don't know which scenario are we talking about (virus as a host, AV as host, or what?)

18 Feb 2009, 13:13

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system

revolution

The basic scenario is: Virus in a VM says "I'm in a VM so don't do a bad thing". Then later virus in a real machine says "I'm running for real, do the wild thing".

And the virus doesn't care what the host VM is, AV scanner, VPC, VMWare, Bochs, whatever, any VM will mean no bad behaviour.

18 Feb 2009, 13:17

vid
Verbosity in development

Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia

vid

And that should be as a defense against AV which will be a VM host?

Making AV as a VM host sounds VERY hypothetical to me. Will the AV have custom lightweight VM host, or will it work as a part of something existing, like VMware or XEN?

18 Feb 2009, 13:26

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system

revolution

Sure, many AVs have VM capabilities. Mostly software based, like Bochs. No great feat really. Debug your favourite AV and you will see it happening.

18 Feb 2009, 13:29

Azu

Joined: 16 Dec 2008
Posts: 1159

Azu

revolution wrote:

vid wrote:
Now I am not sure how exactly do you think VMs help viruses. How?

BTW, detection whether you run in VM is quite easily detectable by the VM host And it is pretty hard to detect whether you are running in VM without being detected doing so. Of course copy protections are "legal" and do such detection too, so it is bit harder.
It can be done, but the cost to do it is enormous. People want their VM to be practical to use. Once you start putting in code to simulate contiguous real time, RDTSC, NTP protocol, etc. (just a few of many detection mechanisms) then the VMs become very complex. And with complexity comes bugs and exploits. It is a never ending cycle.

Would it really be to much overhead to emulate RDTSC? And why need to simulate contiguous real time.. why not just accept it running slower then host OS? Isn't the only point of skipping it ahead so it's in sync with the host OS that it's better that way for the human using it? When it's automatic mini VM ran by AV without user seeing it and it gets torn down shortly after, kind of pointless..

18 Feb 2009, 15:29

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system

revolution

There are many interactions that a VM has a hard time to emulate completely. Too complex to explain here, there are many websites around explaining various methods of detection. Some methods are VERY hard to counteract, others quite easily, but all require some compromises in the VM and make it a lot more complex.

18 Feb 2009, 15:40

bitRAKE

Joined: 21 Jul 2003
Posts: 3056
Location: vpcmipstrm

bitRAKE

I was thinking more about using the VM for testing/improving the virus. It isn't a big chore to run a small network on a single PC with various guests. Any smart virus writer would try to increase the surface area of the virus - not the depth/complexity (no need to detect the VM).

(vid, if you want to share your fantasies in private - send me some pics sweety.)

_________________
¯\(°_o)/¯ unlicense.org

18 Feb 2009, 16:36

Azu

Joined: 16 Dec 2008
Posts: 1159

Azu

bitRAKE wrote:

I was thinking more about using the VM for testing/improving the virus. It isn't a big chore to run a small network on a single PC with various guests. Any smart virus writer would try to increase the surface area of the virus - not the depth/complexity (no need to detect the VM).

That's what I thought you meant when I made my first reply, but then I thought I assumed wrong when everyone started talking about anti virus lol..

18 Feb 2009, 16:39

Borsuc

Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania

Borsuc

Azu wrote:

If you mean things like WINE.. then no.

Wine Is Not an Emulator Razz

_________________
Previously known as The_Grey_Beast

14 Mar 2009, 18:13

Goto page Previous 1, 2, 3, 4 Next

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum