[Q] Detecting virtualisation

I think that it it not practically possible to detect reliably, using a piece of code, that the code is running inside a virtual machine.

But apparently there are ways to make a good guess – for example, by looking at the devices that are typical for certain VM environment (like S3 Trio64 video card in MS VPC), or virtual machine extensions installed in the guest OS.

This time I have two questions:

  1. Any other ways to detect that the code is running in a VM?

  2. Why malware tries to do that? It does, according to Sandi Hardmeier, a great spyware fighter and a MVP.
There’s a reason I’m asking. I believe that VM technology will help a lot bypassing an endpoint security system in a targeted attack. Virtualisation is an interesting and welcome change in the world of information security – and hacking.

4 thoughts on “[Q] Detecting virtualisation”

  1. Hi Slav,

    My current Web site is http://www.ie-vista.com 🙂

    Many malware simply won’t install on a VM, rbot and sdbot family can tell if it is being installed in a VM.

    It was suggested on a spyware list that you could detect a VM by calling WIN32_ComputerSystem and WIN32_BIOS.

  2. Thanks Sandi. It is clear that malware tries to detect VM. It’s not completely clear – why? Is it a honeypot avoidance technique? If so, we may need smarter honeypots.

    Some organisations consider VM environments as security threat. Client software of Webmoney, an alternative payment system used by many criminals, blocks electronic wallet if it detects VMWare.

    So the big question is – is VM a security threat or it’s good for security? Ironically, it’s both.

  3. Interesting. I guess malware will be virtualised and can impact code within same Thinstall package. At least that is how it should work…

Leave a Reply

Your email address will not be published. Required fields are marked *