Hardening Stealthy VMware VMs for Secure Malware Analysis (2024)

Malware analysis is a critical practice in cybersecurity, but it can be risky if not done correctly. Running malware in a live environment can have unintended consequences, so it's essential to use a secure and isolated environment. VMware virtual machines (VMs) are a popular choice for malware analysis due to their flexibility and isolation capabilities. However, to truly ensure the safety of your host system and prevent the malware from escaping the VM, it's crucial to harden the VM's isolation.

Isolation Methods

There are multiple methods to create isolated laboratory environments for safe analysis practice. These methods can be categorized into three main groups:

1. Hardware-Based Isolation:- Air-Gapped Systems: This method completely severs the VM from any network connection, creating a physical island. It offers the highest level of isolation but necessitates manual data transfer via physical media like USB drives.- Isolated Physical System: For maximum security, completely disconnected physical systems, separate from the main network and other devices, can be used. This offers the ultimate isolation but can be impractical due to resource requirements and data transfer limitations.
2. Hardware-Software Based Isolation:- Virtual Machines (VMs): The most common approach to malware analysis revolves around virtualization. Platforms like VMware, VirtualBox, and KVM enable the creation of isolated virtual machines (VMs), essentially separate operating systems within a single host system. This segregation offers several advantages, including containment, customization, and snapshotting.- Sandboxes: Sandboxes offer a more specialized approach to malware containment. They create highly restricted environments designed explicitly for malware execution. This focus provides resource restrictions, behavioral monitoring, and automation and integration features.- Containerization: Containerization offers a lighter-weight option compared to full VMs. Technologies like Docker and Kubernetes create isolated containers for applications and their dependencies, providing resource efficiency, process isolation, and scalability and collaboration benefits.
3. Hybrid Approaches:Hybrid approaches combine multiple isolation techniques for enhanced security and flexibility. Tailor the approach to specific malware characteristics and analysis needs.

Focusing on VMware VMs

This article will focus on hardening VMware VMs, specifically those created in the readily available VMware Workstation. While recognizing the value of tools like KVM/QEMU and Unicorn for expert analysts, this article will prioritize the fundamental techniques applicable within VMware Workstation.

Creating a Stealthy V

A Stealthy VM refers to a virtual machine (VM) specifically hardened and configured to be as invisible and resistant to detection as possible. The goal of a Stealthy VM is to prevent malware from recognizing it as a virtual environment, limit its ability to interact with the outside world, and facilitate safe and effective analysis.

Hardening Techniques

To create a Stealthy VM, various hardening techniques can be employed:

1. Dedicated Virtual Network Isolation: Isolate the VM from your main network to prevent potential breaches.
2. Resource Control: Limit the VM's access to CPU, memory, and disk space to mimic a realistic system and hinder the malware's ability to exploit resources.
3. Hardening Scripts and Tools: These inject fake hardware identifiers, modify registry entries, and obfuscate the VM's footprint.
4. Snapshots and Checkpoints: Regularly take snapshots of the VM's state before and during analysis. This allows you to quickly revert to a clean state if the malware exhibits unexpected behavior or attempts to escape the VM.
5. Hypervisor Masking: Modify hypervisor flags in the VM's CPUID. This involves changing the VM configuration to prevent the hypervisor from reporting its presence to the guest OS.
6. Timing Attacks Mitigation: Ensure accurate timekeeping to avoid inconsistencies that could expose the VM's artificial nature.
7. Redirection of I/O Requests: Customize the handling of I/O requests to mimic physical hardware.
8. Randomizing Hardware Properties: Randomize properties such as disk and network device models, serial numbers, and firmware versions to avoid common VM signatures.
9. Manipulating System Files and Registry Entries: Alter or remove files and registry entries that are typically associated with virtualization software.
10. Disable Unnecessary Features: Disable unnecessary services and devices like CD-ROM drives, floppy drives, and unused network adapters.
11. Configure Security Settings: Harden your host and the VM's operating system by enabling strong passwords, disabling unnecessary accounts, and applying security patches.
12. Use Anti-VM Detection Countermeasures: Some malware can detect that it's running in a virtual environment. Tools like VMwareHardenedLoader can help mask the VM's identity and make it appear as a physical machine to the malware.

Additional Considerations

In addition to the hardening techniques, consider the following:

• Monitor the VM: Continuously monitor the VM's activity for suspicious behavior. Use tools like intrusion detection systems (IDS) or endpoint protection software to detect malware execution or network anomalies.
• Practice Safe Analysis Techniques: Follow best practices for malware analysis, such as using disposable VMs, analyzing samples in a read-only mode, and avoiding direct interaction with the malware.
• Stay Informed: Keep up-to-date on the latest malware trends and techniques. This will help you adapt your hardening strategies and stay ahead of attackers.

Outsmarting Anti-VM Techniques

Malware authors are constantly looking for new ways to evade detection and analysis. One common technique is to try to detect whether the malware is running in a virtual machine (VM) environment. If the malware can detect that it is running in a VM, it can take steps to avoid detection or analysis.

There are a number of ways that malware can detect VMs. Some common methods include:

1. System Information and Hardware Fingerprinting: Malware can scrutinize hardware identifiers, processor information, and BIOS signatures.
2. Registry and File System Checks: Certain directories, files, or registry keys are specific to virtual environments.
3. Network Adapter and MAC Address Analysis: Virtual network adapters often have distinct MAC addresses or network configurations compared to physical ones.
4. Resource Availability and Performance Profiling: VMs typically have limited resources and exhibit specific performance characteristics.
5. Time-Related Anomalies: Timekeeping within VMs can be slightly different from real systems.

To counter these anti-VM techniques, various measures can be taken, such as disabling or enabling specific policies in the VM configuration, masking hardware identifiers, using tools to modify hardware signatures, and employing kernel-mode debugging.

Advanced Techniques and Tools

For more advanced techniques and tools, GitHub hosts several repositories that provide scripts, tools, and guides on implementing low-level tricks to further harden the VM's stealthiness.

Staying Ahead of the Game

The battle between malware authors and security researchers is an ongoing arms race. New anti-VM techniques emerge constantly, necessitating continuous adaptation and vigilance. Staying informed about the latest trends in malware detection and evasion, employing a layered approach to VM hardening, and actively testing your analysis environment's security are crucial to maintaining a secure and effective malware analysis sandbox.

Some tips for creating a Stealth VM that might be useful.

Static analysis is the first, always before launching into dynamic analysis of a malware sample, static analysis is the first step to know what we are facing. If in the process you find something like this:

xor eax, eaxxor ebx, ebxxor ecx, ecxxor edx, edxmov eax, 12345678hnopmov ebx, eaxnopmov eax, 564D5868h ; The magic number “VMXh” to check for VMwaremov ecx, 0Ah ; Command 0Ah in ecx to get VMware versionmov edx, 5658h ; The magic I/O port "VX"xor ebx, ebx nopIN eax, dx ; If VMware is present, this will modify the eax registercmp eax, 564D5868hje not_vmwarenot_vmware:; Code to execute if not running under VMwareend:; End of the routine or further processing 

The probability that you are seeing a possible VM detection technique is high.

Malware authors are constantly looking for new ways to evade detection and analysis. One common technique is to try to detect whether the malware is running in a virtual machine (VM) environment. If the malware can detect that it is running in a VM, it can take steps to avoid detection or analysis.

Hardware Fingerprinting

Remember, these tricks make your VM harder to see, but they might also make it harder to use. Choose wisely!

During analysis, remove "Vmtools". Hackers might look for processes like "VMwareService.exe", "VMwareTray.exe", or "VmwareUser.exe" to sniff you out.

In your VM settings, disable "shared folders". This cuts the file connection between your main computer and the VM, keeping things separate.

Select the corresponding VMX file and consider is to disable Hypervisor CPUID leaves and prevent malware from querying CPU features that reveal virtualization.

1. Right click on VM -> Open VM directory2. Select the corresponding VMX file and open it with notepad3. Add or change the line:hypervisor.cpuid.v0 = "FALSE" 

Prevent programs from detecting the virtual environment through complex checks such as monitoring memory address space and counters.

hypervisor.cpuid.v0 = "FALSE"board-id.reflectHost = "TRUE"hw.model.reflectHost = "TRUE"serialNumber.reflectHost = "TRUE"smbios.reflectHost = "TRUE"SMBIOS.noOEMStrings = "TRUE"isolation.tools.getPtrLocation.disable = "TRUE"isolation.tools.setPtrLocation.disable = "TRUE"isolation.tools.setVersion.disable = "TRUE"isolation.tools.getVersion.disable = "TRUE"monitor_control.disable_directexec = "TRUE"monitor_control.disable_chksimd = "TRUE"monitor_control.disable_ntreloc = "TRUE"monitor_control.disable_selfmod = "TRUE"monitor_control.disable_reloc = "TRUE"monitor_control.disable_btinout = "TRUE"monitor_control.disable_btmemspace = "TRUE"monitor_control.disable_btpriv = "TRUE"monitor_control.disable_btseg = "TRUE" 

UPDATE: For newer versions of VM detection systems like Themida, it is necessary to add the following configurations:

cpuid.disable_apicExtRegs = "TRUE"monitor_control.enable_fullcpuid="TRUE"SMBIOS.assettag = "IBM Corporation"SMBIOS.useShortSerialNumber = "TRUE"checkpoint.vmState.readOnly = "FALSE"cpuid.disable_apicExtRegs = "TRUE"monitor_control.enable_fullcpuid="TRUE"cpuid.1.eax = "0f400000"cpuid.1.ecx = "065e6674"cpuid.1.edx = "76657269"monitor_control.restrict_backdoor = "TRUE" monitor_control.enable_extended_core = "true"monitor_control.enable_paravirt = "true"monitor_control.virtual_rdtsc = "false"ethernet0.networkName = "lan1"smc.present = "FALSE"tools.syncTime = "TRUE"mks.enable3d = "FALSE"checkpoint.vmState.readOnly = "FALSE" 

Consider is to mask hardware identifiers, use tools like VMwareHardenedLoader driver by hzqst located in GitHub or custom scripts to modify hardware signatures, chipset information, BIOS version, SMBIOS tables, real computer bios firmware and other potentially identifiable data.

bios440.filename = "C:\WS_DELL_BIOS.ROM" 

Naturally some of the characteristics will be taken from the host, but some malware samples extract signatures and data from the bios.

Debugging outside of VM,

One of the great advantages of VMs is the debugging outside of a VM using a virtual COM port.

serial0.fileType = "pipe"serial0.yieldOnMsrRead = "TRUE"serial0.fileName = "\\.\pipe\KernelDbg"serial0.present = "TRUE"serial0.tryNoRxLoss = "TRUE" 

More Info:

Network Adapter and MAC Address

Malware can detect a VM by examining the MAC address range, which is often specific to virtual network adapters. Before starting the VM, configure a custom MAC address, manually set a MAC address that doesn't belong to a known virtual network adapter vendor.

ethernet0.address = "Some random mac address" 

Create separate virtual networks (Isolate virtual networks) for analysis VMs to minimize network interaction with the host system.

Resource Availability and Performance Profiling

Assign CPU cores, memory, and disk space that closely resemble a physical machine's configuration.

vmware.disableGa = "TRUE"smbiosprovider.disable = "TRUE"SMBIOS.excludeHardwareStrings = "TRUE"isolation.tools.setHWVersionExt.disable = "TRUE"isolation.tools.setHWVendor.disable = "TRUE"isolation.tools.disableTimekeeping = "TRUE"isolation.tools.disableRand = "TRUE"isolation.tools.disableHvCounters = "TRUE"isolation.tools.setOSVersion.disable = "TRUE" 

Some of these options depend on your goals.

Hide virtual disk

One common way malware detects a VM is through the virtual hardware's identifiers. Modify the registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum 

Remove references to 'VMware', 'Virtual', or 'Ven'. Additionally, replace instances of 'VMware' or 'Virtual' throughout the registry with terms like 'Intel' or 'IBM'.

By modifying the scsi0:0.productID and scsi0:0.vendorID in the VM's configuration vmx file, replace default or recognizable virtual identifiers with ones that mimic real hardware.

scsi0:0.productID = "Kinston SSD AADEBBCC1"scsi0:0.vendorID = "Kinston" 

Time-Related Anomalies:

Enable time synchronization and configure the VM to synchronize time with reliable external time servers accurately. Disable time drift correction and preventing VMware from automatically adjusting the VM's time, which can create inconsistencies.

Advanced techniques and tools

VM-Hiding: A repository for hiding the VM hypervisor from guest operating systems, useful for VM-based VMs.

VMDE: Virtual Machine Detection Evasion tool, which provides various scripts and techniques for evading VM detection.

SandboxEvasion: A collection of techniques for evading detection by sandboxes and VMs.

Additionally, to assess how well your VM is protected against detection, and to learn about other tools used for detecting sandboxes, KVM, and VMs, you can use Pafish (Paranoid fish).

By understanding how malware identifies virtual environments and employing effective countermeasures, we can create a robust defense against their evasive tactics. This allows security researchers to continue their vital work of analyzing and neutralizing new threats, ultimately contributing to a safer digital landscape for everyone. Remember, security is a continuous process, not a one-time fix. Regularly update your knowledge, tools, and VM configurations to stay ahead of the evolving landscape of malware threats.

Another more modern option for assessing the hardening of our work environment is Al-Khaser. Al-Khaser is a comprehensive tool designed to test the resilience and detection capabilities of security environments against various forms of malware and advanced persistent threats (APTs).

This project offers a wide array of checks, including those for VM detection, sandbox evasion, and presence of debugging tools, making it an invaluable resource for security professionals looking to evaluate and improve the defensive posture of their systems. By simulating a range of attack vectors and detection evasion techniques, Al-Khaser helps in identifying potential weaknesses in a system's security setup, thereby facilitating a more robust hardening process.

Tell us about your work laboratory.

1. Paranoid?
2. Do you like strong emotions?
3. Do you prefer sandbox, vm or container?

#MalwareAnalysis #VMHardening #StealthyVM #VMwareWorkstation #VirtualMachineIsolation #DedicatedVirtualNetwork #ResourceControl #HardeningScripts #SnapshotsAndCheckpoints #HypervisorMasking #TimingAttacksMitigation #IORedirection #RandomizingHardwareProperties #SystemFileManipulation #DisableUnnecessaryFeatures #SecuritySettings #AntiVMDeterrence #MonitorVMActivity #SafeAnalysisTechniques #MalwareDetectionEvasion #AntiVMDetection #KernelModeDebugging #AdvancedVMTricks #MalwareArmsRace #CybersecurityBestPractices

Some interesting references: