2

CPUID is an instruction that identifies CPU type and features.

Has there ever been a case of either targeting or the opposite - ignoring of specific CPUIDs by malware in the wild?

forest
  • 64,616
  • 20
  • 206
  • 257
Sir Muffington
  • 1,447
  • 2
  • 9
  • 22
  • Small nitpick, but CPUID is an instruction that can return quite a bit of information about a CPU depending on the contents of certain registers at the time the instruction is executed. It used to supply a serial number, but not anymore. Now it just gives the general type of the CPU and some features. – forest Mar 22 '22 at 20:56
  • 1
    @forest great point, feel free to edit the question – Sir Muffington Mar 22 '22 at 20:59

1 Answers1

2

Yes, malware sometimes does check CPUID. Reverse engineering of malware has found the use of CPUID as a form of execution guardrails, a technique used by malware to determine whether or not a machine should be targeted. By looking for signs that it is running in a virtual machine (Xen, for example, uses the ASCII string XenVMMXenVMM, exposed via CPUID), malware can attempt to evade reverse engineering or analysis by either refusing to execute, refusing to download a second stage payload, or confusing the analyst by performing dummy actions unrelated to its real purpose.

forest
  • 64,616
  • 20
  • 206
  • 257
  • Aha, so the bad boy Stuxnet used this and beyond as well. Fascinating. Any blue team approach recommended? – Sir Muffington Mar 22 '22 at 20:40
  • @SirMuffington An approach to do what? To fool the malware into thinking that it should run in a VM so that it can be analyzed more easily? – forest Mar 22 '22 at 20:40
  • actually the exact opposite - to fool the malware it's running on bare metal. Not like the malware can really check whether it's running on a genuine CPU if you fake the CPUID, right? – Sir Muffington Mar 22 '22 at 20:43
  • That's what I meant (to fool the malware into _thinking_ it's a VM). And although you can fake CPUID pretty easily as it's one of the few instructions that can be trapped on vmexit, there are many ways to detect the presence of a virtual machine. There are simple ways to try to hide the existence of the VM [like this](https://securityliterate.com/vboxcloak-hiding-virtualbox-from-malware/), and there are more complex ways that require modifying the hypervisor code itself. It's fundamentally very difficult to _completely_ hide the existence of a virtual machine, no matter how hard you try. – forest Mar 22 '22 at 20:44