Anti-VM - VM identifiers in disk enums

ayoubfaouzi / al-khaser

Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.

GNU General Public License v2.0

5.95k stars 1.18k forks source link

Anti-VM - VM identifiers in disk enums #191

Closed recvfrom closed 4 years ago

recvfrom commented 5 years ago

From [1], disk enums in HKLM\System\CurrentControlSet\Services\Disk\Enum sometimes contains strings like Virtual, VMW, or Vbox, which some malware uses as an anti-VM check. Would it be worth also checking for this in al-khaser?

[1] https://cofense.com/kutaki-malware-bypasses-gateways-steal-users-credentials/

Waterman178 commented 5 years ago

good idea

recvfrom commented 5 years ago

Another example [2] - Smokeloader checks System\CurrentControlSet\Services\Disk\Enum\IDE and System\CurrentControlSet\Services\Disk\Enum\SCSI for qemu, virtio, vmware vbox or xen

[2] https://research.checkpoint.com/2019-resurgence-of-smokeloader/

ayoubfaouzi commented 5 years ago

Hello @recvfrom

Thanks ! I will add those in the next release.

Cheers.