427 Botnet fm qxd

network-boot system. For more information on DeepFreeze visit
www.faronics.com/html/deepfreeze.asp.
Figure 10.3
Automated Analysis Suite (AAS)
Notes from the Underground…
Detecting a Virtual Machine
Using virtual machines for malware analysis has become very popular
today due to that fact a lot of malicious applications try to detect if they
are running in such a virtual environment. Depending on the virtualiza-
tion software, the malware can check for different characteristics,
including specific registry entries, the list of running processes or system
services, or typical system behavior. Especially for the often used product
VMWare, there are many public known detection methods. The site
www.trapkit.de presents a lot of them and offers the tools 
scoopy doo
and 
jerry
for that purpose. A generic approach to VM detection has been
www.syngress.com
Using Sandbox Tools for Botnets • Chapter 10
351
Nepenthes 
Sensor 1
Database with
M alware Binaries
and Analyses
Nepenthes 
Sensor 2
Nepenthes 
Sensor n
Virtual 
M achine
H ost 1
Virtual 
M achine
H ost m
CWSandbox
H ost m.nm
...
...
Web
Interface
Web Server
...
CWSandbox
Host 1.n1
CWSandbox
Host 1.2
CWSandbox
Host 1.1
Continued
427_Botnet_10.qxd 1/9/07 3:06 PM Page 351

presented by Joanna Rutkowska under the name 
redpill
. It is based on
retrieving the address of the 
Interrupt Descriptor Table (IDT)
, a nonprivi-
leged instruction that also can be called from user mode applications.
Because the IDT address retrieved when running in a virtual machine is
different from that in a real system, we can easily use this for VM detec-
tion. The best thing about this trick is that it works with any virtualiza-
tion software. As newer CPU generations offer real virtualization
support, we can only hope that in future VM detection will become
impossible or at least (and most probable) much more difficult.
Describing the Components
In this section we describe the functionality and components of CWSandbox
in detail.The sandbox itself consists of two different executables: cwsandbox.exe
and cwmonitor.dll.The first one is the main application, which starts the mal-
ware and controls the whole analysis process, and the second one is a 
dynamic
link library (DLL),
which is injected into all monitored processes. During the
execution of the malware, the DLL intercepts at each critical API call and
informs the main application of it. Depending on the type of system call, it
either waits for the sandbox to decide how to continue, delegates control to the
originally called API function, or simply returns to the malware with a simu-
lated or error result. Besides monitoring, the DLL also has to ensure that when-
ever the malware starts a new process or injects code into an already running
one, the sandbox is informed of that. In that case a new instance of the DLL is
injected into that newly created or already existing process, so that this process
also can be monitored. A schematic of this architecture is given in Figure 10.4.

Download 6,98 Mb.

Do'stlaringiz bilan baham: