検索:
ホーム   »     »   Avoiding VMware

Avoiding VMware

  • 投稿日:2005年11月7日
  • 脅威カテゴリ:未分類
  • 執筆:ウイルス解析担当者
0




Most malware uses anti-debugging techniques to avoid detection or
make analysis harder. One example of this is by using the api
IsDebuggerPresent. This Api seems to be the favorite choice of
malwares other than SEH.


But I just found out a new anti-debugging technique (at least new
in my book, as Im still beginning at the AV business… :p)


VMWare, a popular multi-function virtualizer for Windows and Linux
is one of the tools used in this kind of business. Sadly enough,
with just a few code, a malware can Identify if it is running on a
VMWARE machine and not on the actual environment.


The malware can just check this registry,


HKEY_LOCAL_MACHINESOFTWAREVMware, Inc.Vmware Tools


If existing, the malware automatically creates a batch file to
delete itself leaving no trace of it ever running. So for the
Service Team, don’t always trust your vmware results.


Or you can also just rename the registry to say


HKEY_LOCAL_MACHINESOFTWAREVMware, Inc.Vmware Tools1


After renaming this registry, I tested again the malware and it was
now executing like it would on a normal environment.


The malware that Im talking about here has already been passed to
the service team and word is, it would be detected as
WORM_SDBOT.COQ.

No related posts.



  • 個人のお客さま向けオンラインショップ
  • |
  • 法人のお客さま向け直営ストア
  • |
  • 販売パートナー検索
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • 電子公告
  • ご利用条件
  • プライバシーポリシー
  • Copyright © 2021 Trend Micro Incorporated. All rights reserved.