Microsoft Virtual Machine & VMWARE information disclosure Vulnerability Note: Though not limited to these two products, this trick can be used as an genetic method to detect the presence of any virtual machine regardless of the OS used at this date. But (from a friendly source) i came to know these all represent design decisions by the software makers. Isnt THAT RIDICULAS!!!? Tested on: Microsoft Virtual PC 5.3.582.27 VMware Workstation 4.5.2 build-8848 Virtual Machines are very often used in new virus/trojan analysis, honeypot, IDS etc But an attacker or malicious code can easily figure out if its inside a Virtual Machine or a Real System by quering various hardware parameters & features from the OS. If the virtual machine responds back too much, too little, UNKNOWN or suspecious hardware information on ANY SYSTEM HARDWARE (virtual) it can always be clearely guessed the user/code is inside the virtual machine. Moreover the emulated BIOS in the virtual Machine are almost same for the version release which can be detected form the virtual OS. Below are my Findings (which is obviously not a complete list but is enough to draw conclusions for a software/person that it is inside a virtual machine. I was surprised to get even the information of the PRIVATE LICENSED PRODUCT KEY while i was quering query Motherboard System Information inside the virtual machine. So here are the data: System Query outputs inside virtual machine that will clearely demonstrate the presence of Virtual Machine which are obviously uniq & fake & doesnt resemble the real hardware information. ----------------------------------------------------------------------- (Query Output inside Microsoft Virtual Machine) Hdd Model: Virtual HD Firmware version : 1. 1 Serial number : Buffer size : 64 KB Standard : When queried for the informations; Ram Memory speed, Manafacturer, Serial No. Voltage CPU clock ratio & Max allowed frequency -------> The information is unknown to the system Motherboard: Company Brnad Name: Vmware, Inc VMware Video Chipset & Video Memory information System Manufacturer : VMware, Inc Product Name: VMware Virtual Platform Product Version ------------------------------------------------------------------------ ( Output inside VMWARE ) HDD Model: VMware Virtual IDE Hard Drive Firmware version : 00000001 Serial number : 00000000000000000001 Buffer size : 64 KB Standard : Company Brnad Name: Microsoft Corporation Virtual Machine When queried for the informations; CPU clock ratio & Max allowed frequency not displayed Motherboard Modal: Microsoft Corporation Virtual Machine The L1, L2, L3 catche size information unknown The device name for hdd & CD were Virtual HD, Virtual CD ------------------------------------------------------------------------ And for ATA security mode & other ATA features (in both virtual machines) S.M.A.R.T : no 48-bit Address : no Read Look-Ahead : no Write Cache : no Host Protected Area : no Device Configuration Overlay : no Automatic Acoustic Management: no Power Management : no Advanced Power Management : no Power-up in Standby : no Security Mode : no Firmware Upgradable : no ----------------------------------------------------------------------- Quering just few of the above mentioned information from inside the virtual machine can IMMIDIATELY PROVE the presense of virtual machine, not the actual system. A virus/worm MAY (can?) effectively bypass detection while being executed/detected in a sandbox if the same principle is applied in the coding/execution cycle if it by doing a actual hardware detect. ( could you please test the principle with NORMAN sandbox (& similar sandbox technology which is based on behavior detection) as its license clauses dont fit me as a tester. (encrypt a known virus/worm with a key file... with the condition below using hardware detect on any of the above parameters & PLEASEEEEEE let us know about the results over here) say, if sandbox_detected(say_hello_world); else start_code_decryption(); best regards, -bipin --- ************************************************************************ http://groups.google.com/group/AntiForensics -Where you will learn to PROTECT your DIGITAL PRIVECY. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/