Check Point unveils encyclopaedia to explain techniques used by malware to detect virtual environment

A virtual environment differs from common host systems in terms of registry keys, non-common files, and system objects

Cyber security research firm Check Point has launched a new encyclopaedia that lists all techniques used by malware to ascertain if it is running under a virtual environment.

The malware evasion encyclopaedia also discusses various countermeasures that researchers can use to defeat those checks.

With emergence of new malicious threats, it is becoming necessary for researchers to analyse those threats in some kind of virtualised environment, such as virtual machine (VM) in VMware and VirtualBox, in order to determine their mode of operation.

Virtual environments usually differ from common host systems in terms of registry keys, non-common files, system objects and other features.

A malware sample can determine if it is being run in a virtualised environment by sniffing out such artefacts. If the malware detects the use of a VM, it starts behaving in an unexpected way. It will either not execute itself or will delete itself to prevent further analysis.

Check Point's malware evasion encyclopaedia uses the following sections to list the techniques used by malware:

• Registry
• Filesystem
• Global OS objects
• Generic OS queries
• OS features
• UI artifacts
• Processes
• CPU
• Network
• Firmware tables
• Hardware
• Hooks
• macOS

Each section provides details of the techniques used by malware; code snippets illustrating the usage of a particular technique; signature recommendations to identify attempts to apply the technique; tables providing a breakdown of which specific environments are identified with the help of particular constants; and possible countermeasures.

For example, the 'Firmware tables' section shows how malware searches for some specific strings in the BIOS. Similarly, the 'Processes' section explains how malware looks for certain processes used by VMs. Code samples for the encyclopaedia were taken from the following open-source projects: VMDE, pafish and al-khaser.

Some sections in the encyclopaedia are currently inactive, with content to be added in coming days.

"If it isn't stated explicitly which operating system is described, Windows is meant by default," said Check Point engineer Raman Ladutska.

Check Point's researchers have also produced their own open-source tool called InviZzzible for for assessing and fixing virtual environments.