All of us here are (hopefully) familiar with the evasive strategies used by malware. A favorite [paper](https://www.usenix.org/system/files/conference/woot16/woot16-paper-blackthorne.pdf) & (https://youtu.be/a6yOwvFds78) resource I like to cite when discussing evasion is AVLeak by Blackthorne et al, and in short it leverages blackbox attacks against endpoint malware detection tools which largely today rely on emulation or virtualization in order to defeat obfuscation. After attacking emulators and VMs in this way, researchers were able to demonstrate the ability to create effective signatures to detect and therefore evade (behave nicely within) these emulated and virtual environments without any need to reverse engineer AVs. Upon sufficient research and thought into this subject, it is apparent that software-based behavior anlysis within VMs and emulators is fundamentally disadvantaged, where the attacker must exert far less effort than the defender to with the cat-and-mouse game. Blue-teamers are familiar with this disadvantage in all aspects of cyber-security.

One thing I noticed in Virus Total signature results interested me deeply. Some of the vendors reported that the malware behaves differently within VMs and bare-metal. This struck me as an excellent vulnerability in evasive behavior to leverage against the attacker. If the attacker behaves differently on bare-metal and VM, that’s an instant red flag for evasion. But normally the problem with this is if we run these tests on bare metal, we can quickly lose system integrity or stability and even have the test hardware bricked.

Perhaps this vendor decided that if their test bench gets bricked that’s a low price to pay for the potential discovery of a zero-day exploit. This seems like a good trade-off considering a bare-bones test bench might cost <$100, but the implementation seems tricky; the test bench would need to be reset to factory defaults often, and special software designed to accomplish this without the time-expense of a true factory reset might be needed to maximize operational time. The result of this effort, however, seems extremely valuable, potentially turning the tables in the defender’s favor against evasive malware.

Is that the likely answer here? Or is there some clever strategy one might use to test malware behavior on bare-metal without risking hardware compromise / damage?

Share This Discussion

Leave a Comment

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.