Peter Ferrie, Senior Principal Researcher, Symantec Advanced Threat Research, recently released a new research paper titled "Attacks on Virtual Machine Emulators". As of late, one such use case for virtual machine emulators has been to use them to help better analyze malicious code. Unfortunately, malicious code is adapting and fighting back! This paper attempts to explain known attacks against the most widely u Peter Ferrie, Senior Principal Researcher, Symantec Advanced Threat Research, recently released a new research paper titled “Attacks on Virtual Machine Emulators”. As of late, one such use case for virtual machine emulators has been to use them to help better analyze malicious code. Unfortunately, malicious code is adapting and fighting back! This paper attempts to explain known attacks against the most widely used virtual machine emulators (VMware and Microsoft), and also demonstrate newly discovered attacks on other virtual machine emulators of which you might not be that familiar.The introduction to the paper begins like so: Virtual machine emulators have many uses. For anti-malware researchers, the most common use is to place unknown code inside a virtual environment, and watch how it behaves. Once the analysis has been completed, the environment can be destroyed, essentially without risk to the real environment that hosts it. This provides a safe way to see if a sample might be malicious. This brings us to the simplest attack that malicious code can perform on a virtual machine emulator: to detect it. As more security researchers come to rely on virtual machine emulators, malicious code samples have appeared that are intentionally sensitive to the presence of virtual machine emulators. Those samples alter their behavior (including refusing to run) if a virtual machine emulator is detected. This makes analysis more complicated, and possibly highly misleading. Some descriptions and samples of how virtual machine emulators are detected are presented in this paper. A harsher attack that malicious code can perform against a virtual machine emulator is the denial-of-service, specifically by causing the virtual machine emulator to exit. Some descriptions and samples of how that is done are presented in this paper. Finally, the most interesting attack that malicious code can perform against a virtual machine emulator is to escape from its protected environment. No samples of that are presented in this paper. It is important to note here that most virtual machine emulators are not designed to be completely transparent. They are simply meant to be “good enough” so that typical software can be fooled to run inside it. Their use in the analysis of malicious code was never a requirement. This situation is changing, though, with the creation of new virtual machine emulators, such as Hydra. However, even with full knowledge of what has been used to detect existing virtual machine emulators, it is clearly difficult to write a virtual machine emulator that cannot be detected. Some descriptions and samples of how to detect Hydra are included in this paper. The interest in detecting virtual machine emulators is also not limited to the authors of malicious code. If malicious code is released that makes use of its own virtual machine emulator, then it will become necessary for anti-malware researchers to find ways to detect the virtual machine emulator, too. You can find the entire research paper, here. Software Development