How can I make my OS appear as if it is running virtualized?

A lot of malware these days is able to detect when it is running virtualized under VMWare, VirtualPC, WINE, or even in a sandbox such as Anubis or CWSandBox.

This essentially means that malware will often "hold back" or not function maliciously when running in a virtual environment in order to thwart analysis of its true intentions.

My thought is then, why not make your PC appear as if it is virtualized? Does anyone know how I might be able to go about this?

Mick

Posted 2009-07-25T21:06:50.077

Reputation: 1 651

3Is simply "run your OS in a VM or hypervisor" too obvious an answer? – Marc Gravell – 2009-07-25T21:13:51.217

Because I want to make the pc's in my environment appear to malware as if they are a VM. By doing this, my hope is that malware that chooses not to run inside of a VM (to prevent analysis) will assume this is system is virtualized, and therefore simply an analysts testbed...and not run itself. It's part of a defense-in-depth strategy...just an additional layer. – None – 2009-07-26T17:39:54.793

Answers

This is not a good technique. Relying on malware to behave nicely because it might be under the microscope is a bit like relying on cats to stay put because you told them to. It's an interesting idea, but one which is not worth implementing as an anti-malware solution.

That said, as Marc suggested - just actually run your OS in a VM or hypervisor, if you want malware to behave itself as if it is in a virtualized environment. The performance hit is the tiny price you pay for such enhanced peace of mind.

One other item of note is that there are a fair number of legitimate desktop apps which don't work under VMs because their DRM thinks they might be in the process of being reverse engineered. The usability hassle from that would be terrible.

Paul McMillan

Posted 2009-07-25T21:06:50.077

Reputation: 826

1"One other item of note is that there are a fair number of legitimate desktop apps which don't work under VMs because their DRM thinks they might be in the process of being reverse engineered." Can you add an example? I'd love to see one of those apps. – Manuel Ferreria – 2009-07-25T21:43:10.283

Securom on most any newer game, for starters. – Paul McMillan – 2009-07-26T09:09:03.760

Thanks for the comments. This idea popped into my head as a possible way to make it harder for my systems (tens of thousands) to become infected with malware. Even with up to date anti-virus products, firewall (software and hardware), and NIDS/HIDS, there are still trojan downloaders that can cause headaches. Thanks for your opinions...this sounds like it may not be a real bright idea! – None – 2009-07-26T17:43:34.053

Oddly I now feel compelled to post a video I made of my cat staying put because I told it to. Granted, it's behavior shocked me. – dlamblin – 2009-07-27T19:38:34.837

That is a interesting subject. CodeProject had an article about how to detect whether your program was running inside a vm, here. It looks as if the VMWare approach might be the easiest to fake, since it involves accessing a port to communicate with the host.

R Ubben

Posted 2009-07-25T21:06:50.077

Reputation:

The nature of malware dictates that sooner or later, probably sooner, the malware writers will be able to detect if you are faking a virtualized OS. It's only a matter of time. I would concentrate my efforts elsewhere.

jinsungy

Posted 2009-07-25T21:06:50.077

Reputation: 128

That would only happen if everyone would start to fake a virtualized OS. A few hackers wouldn't be worth the trouble. – Christian – 2009-08-04T17:27:35.780

For Linux there are PERL scripts like virt-what and imvirt. Have a look at the last one at http://micky.ibh.net/~liske/imvirt.html

StarWind Software

Posted 2009-07-25T21:06:50.077

Reputation:

-1

Why you are installing questionable software on your system? I think the best security practice is to use or purchase software from reliable sources (the vendor itself or reliable open source community). In addition, buy a good security solution; I have NOD32 and have never, not even once, had an issue.

Richard Clayton

Posted 2009-07-25T21:06:50.077

Reputation: 101

Because I am doing malware analysis for my employer. I want to know what the malware is attempting to access, and if it is downloading additional payloads. I can't know this if I can't easily analyze it. If it detects a VM (which is easy), then using a VM is of little use. – None – 2009-07-26T17:37:56.920