Split personality malware detection and defeating in popular virtual machines

Abstract

Virtual Machines have gained immense popularity amongst the Security Researchers and Malware Analysts due to their pertinent design to analyze malware without risking permanent infection to the actual system carrying out the tests. This is because during analysis, even if a malware infects and destabilizes the guest OS, the analyst can simply load in a fresh image thus avoiding any damage to the actual machine. However, the cat and mouse game between the Black Hat and the White Hat Hackers is a well established fact. Hence, the malware writers have once again raised their stakes by creating a new kind of malware which can detect the presence of virtual machines. Once it detects that it is running on a virtual machine, it either terminates execution immediately or simply hides its malicious intent and continues to execute in a benign manner thus evading its own detection. This category of malware has been termed as Split Personality malware or Analysis Aware malware in the Information Security jargon. This paper aims at defeating the split personality malware in popular virtual machine environment. This work includes first the study of various virtual machine detection techniques and then development of a method to thwart these techniques from successfully detecting the virtual machines-VirtualBox, VirtualPC and VMware. Copyright � 2012 ACM.