Thread-topic: FYI: Malware Writers Add VM Detection Technology
Посмотрите
, на
которую сылается Skoudis - там все хорошо описано.
> --Malware Writers Add VM Detection Technology
> (20 November 2006)
> Malware creators have begun incorporating the ability to
> detect virtual
> machines (VM) into their products. A SANS Internet Storm Center (ISC)
> analyst reported that "three of 12 malware specimens recently captured
> in [their] honeypot refused to run in VMware." The malware
> writers are
> trying to prevent researchers from testing the malware in a safe
> setting. The problem can be addressed either by patching the malware
> so it doesn't look for signs of VM environments, or by making changes
> to the VM environment that will trick the malware.
>
>
> ID=194700014&site_section=700027
> [Editor's Note (Skoudis): In addition to mentioning the fine work of
> Lenny Zeltser, this article cites a presentation that Tom Liston and I
> gave at SANS FIRE in July 2006 on how to thwart VM detection. In that
> presentation, Tom and I provide a list of about a dozen
> undocumented VMX
> configuration file settings that we uncovered in our research
> to defeat
> almost all current methods of VMware detection in the wild (The Red
> Pill, Jerry, etc). Malware researchers can use the options covered in
> that presentation to dodge the current generation of VM-detecting
> malware. Please note, though, that these options break all of those
> nifty VM tools functions, like drag-n-drop, shared files, and
> copy-and-paste. On the positive side, most malware researchers don't
> need those functions when analyzing malware in VM guests.]
>
