COMPREHENSIVE VIRTUAL APPLIANCE DETECTION presented at BlackhatAsia 2014

by Xiaoning Li, Kang Li,

Summary : Our talk is about how to detect virtual appliance environments with script and binary. The purpose of the detection is to evade those defense methods that are based on virtual machines.
Virtual machines and virtualization technology play a critical role in virtual appliances to enable dynamic and parallel sample analysis. Methods for detecting virtual machines and sandboxes have been previously discussed but mostly at the operating system level. The talk focuses on a comprehensive set of techniques that range from the OS level to application level, and to web scripts that can detect virtual appliance from the environment running within the browser.
The talk will cover the techniques that detect different virtualization models, from popular virtual machine such as KVM/QEMU, VMware, and XEN, to light weight bare-metal hypervisor, such as ESX. The talk will also cover different detection techniques from using native code to device fingerprints.
The detection of virtual appliance could aid the attack side by enabling stealthy rootkit and malware, as well as malicious sites that evade VM based detection such the virtual execution engines. The comprehensive list of virtual appliance detection methods can also help the malware detection and defense side by alerting them the constraints and limitations of VM based solutions.