Can malware detect that it's running in your sandbox?

[Batu69]

 

If you think an application is suspicious, then you might run it in a sandbox, a virtual machine, maybe use a debugger, and watch what it does. And if nothing happens then that means it’s safe. Right?

 

Well, maybe not. Malware will often try to detect this kind of trickery, and if it thinks it’s being watched, won’t do anything to raise an alarm.

Paranoid Fish is a tiny open-source tool which uses various techniques to detect sandboxes, VMs, debuggers and more. Run it in your testing environment and you’ll get a feel for how transparent it really is.

 

Double-click pafish.exe, the program opens a command window and begins running its tests. These can sometimes take a while -- it may appear to hang for three or four minutes -- but the individual test names and results are displayed as the program works.

 

Although it’s aimed at experts, many of these tests are easy for experienced users to understand. The program looks for VMware Registry keys and adapters, VirtualBox windows and network shares, and uses simple generic ideas like checking whether the system has a single processor, less than 1GB RAM, or a hard drive of under 60GB.

 

If you’ve not thought about this before, just browsing these tests may give you some ideas. Like, if you’re creating a VM to test suspicious programs, give it as many CPUs and as much RAM/ hard drive space as you can spare.

 

Other test names are either vague ("Checking file path") or experts-only ("Checking function ShellExecuteExW method 1"), but ignore them -- you don’t have to understand every detail.

 

All that really matters is the verdict after each test. A green "OK" mean the program hasn’t detected any anti-malware tricks, but a red "traced" means it’s spotted your monitoring. And malware could, too.

 

Paranoid Fish is a free application for Windows XP and later.

 

Article source

[straycat19]

97% of the malware today will not run in a sandbox or a virtual machine and hasn't for about the last 5 years.  Not only will it not run but it will delete the payload that you attempt to run. It doesn't make a difference on how much resources you give the VM because the software detects that it is a VM and then deletes all traces from the VM.  That is why I have 50 x 80GB or larger hard drives imaged with a basic windows install and use a hot swap device so I can switch boot drives without opening the computer.  Every time a piece of malware is ran it requires the drive to be changed to run another malware payload.  It was much easier when they could be run in a virtual machine or sand box, but we lost that advantage years ago.  It makes it much more expensive to do malware research so we buy bulk refurbished drives from the manufacturers. When the average monthly malware payload collection can exceed 12GB compressed you can see that it would take forever to test all of them so only the most observed are actually tested.  The process of cleaning a used drive requires special equipment that does 12 drives at a time, wiping them multiple times, checking the firmware, low level formatting, and then imaging with the OS to ensure the drives are clean. 

[Sylence]

1 hour ago, straycat19 said:

97% of the malware today will not run in a sandbox or a virtual machine and hasn't for about the last 5 years.  Not only will it not run but it will delete the payload that you attempt to run. It doesn't make a difference on how much resources you give the VM because the software detects that it is a VM and then deletes all traces from the VM.  That is why I have 50 x 80GB or larger hard drives imaged with a basic windows install and use a hot swap device so I can switch boot drives without opening the computer.  Every time a piece of malware is ran it requires the drive to be changed to run another malware payload.  It was much easier when they could be run in a virtual machine or sand box, but we lost that advantage years ago.  It makes it much more expensive to do malware research so we buy bulk refurbished drives from the manufacturers. When the average monthly malware payload collection can exceed 12GB compressed you can see that it would take forever to test all of them so only the most observed are actually tested.  The process of cleaning a used drive requires special equipment that does 12 drives at a time, wiping them multiple times, checking the firmware, low level formatting, and then imaging with the OS to ensure the drives are clean. 

 

That sounds cool to hot swap hard drives and have multiple Windows installation backups in case something happens, but if malwares are that smart to detect you're using a Virtual Machine then we are smarter!

 

How?

by working in a Virtual Machine the whole time. I actually managed to do this some time ago but for another reason. what I mean is not a Type-2 Hypervisor like VMware worksation or Virtualbox because they work above the OS layer. what you need is a baremetal hypervisor like VM vSphere ESXI which works on hardware level. so vSphere is Type-1 hypervisor but it required two physical machines to setup and work so not really a cost effective option. we need a hypervisor that allows to work on the VMs created in it from the same physical machine. ESX doesn't do this. The best you can do is probably get to a maintenance shell which is not meant for everyday use.

 

Hyper-V Server does this. (not the one included in Windows Server 2012)

 

P.S  

As far as why,

keep in mind ESX and such are enterprise products.

IT support/people already remote into servers, therefore they will be remoting into the VMs as well. No one is typically at a datacenter working from a local console. Providing a console/display at the local system is not a priority and would only be done if a severe problem arose.

Businesses are interested in virtualization for the purpose mostly of moving physical systems to VMs - in order to reduce hardware costs. So ESX and such want to be as thin as possible to keep overhead as low as possible, to support hosting many systems at once.

 

so in a nutshell, go for Hyper-V Server