[Michael]

About 2 years ago, I switched from VMware to VirtualBox. There were mainly two reasons why:

- VirtualBox was free
- VMware was giving me poor results when analyzing samples (Virtualization detection)

Well, today VirtualBox is still free, but it seems to be plagued by the same problems as far as malware detecting the virtual environment.

Many samples will have a totally different behaviour when analzyed in a VM such as:

- do nothing
- delete themselves
- do a minor payload

It is quite tricky to detect if a sample is VM-aware, for the reasons outlined above. So, at the end of the day, we are missing out on some really prevalent samples that people will get infected with.

Take this rogue for example, Security Tool.

Under a VM, it does nothing; in a real PC it installs and runs just fine:





Does that explain why some of the big players are not detecting it? I'm refering to Kaspersky, Symantec, F-Secure, Panda?



It looks like it's time to go back to the real machines for good.



Jerome Segura

Malware ID: 37e6447f055641903d1c17a11eb1b592.zip

[S!Ri]

Quote:

It looks like it's time to go back to the real machines for good.

Or Patch/Crack the protection

[JSegura]

Quote:

Originally Posted by S!Ri

Or Patch/Crack the protection

If you can do this programatically that would be great. But doing that for every sample manually would be pain staking!!