Sreelakshmi Panangatt graduated from Vrije University and Amrita Vishwa Vidyapeetham. She focuses on reverse engineering. Her tool DeViL (Detect Virtual Machine in Linux) demonstrates techniques malware uses to detect virtual machines. It determines how the current Linux configuration exposes itself. DeViL checks files, CPU instructions, network settings and timing to detect signs the system is running in a VM like VMWare or VirtualBox rather than physical hardware. It aims to help analysts understand how malware detects analysis environments.

1. DeViL
Detect Virtual Machine in Linux

2. @srlkhmi
● Sreelakshmi Panangatt
● Member of Team bi0s
● Graduated from Vrije University and Amrita Vishwa Vidyapeetham.
● Focusing on Reverse engineering.

3. Outline
● Introduction
● VM- Detection Techniques
● DeViL
● Demo

4. Introduction
● Malware implements anti-analysis techniques for self defence
● Anti-analysis techniques = Make analysis harder
● Anti-analysis techniques
○ Anti-VM detection
○ Anti-Debugger
○ Obfuscation

5. Virtualization
● Creation of virtual version of resources like Storage, OS
● Examples: VMware, VirtualBox, KVM, QEMU
● Benefits in Malware Analysis
○ Researchers can intrepidly execute potential malware samples without having their
systems affected.
○ If a malware destabilizes the OS, analyst just needs to load in a fresh image on a VM.
○ Reduce the time and cost
○ Increase the productivity

6. Anti-VM Techniques
● To evade the analysis in VM`s
● Types
○ File based detection
○ Time based detection
○ Instruction based detection

7. Presence of VM
● /usr/bin - standard directory contains most of the executable files
● Searching for the files that start with ”vmw” or ”VirtualBox” provides
information regarding the presence of VMware and Virtualbox.

8. /usr/bin

9. Information Collection from Files
● Linux stores information in file.
● Reads from the file and compare with specific values to detect VM.

10. Some Interesting Files.
● /proc/cpuinfo
● /proc/scsi/scsi
● /sys/class/net/eth0/address
● /sys/class/dmi/id/bios_vendor
● /sys/class/dmi/id/product_name
● /sys/class/dmi/id/sys_vendor
● /proc/sys/kernel/ostype
● /sys/class/dmi/id/sys_vendor
● /sys/class/dmi/id/bios_vendor
● /sys/class/dmi/id/board_vendor
● /proc/modules

11. /proc/cpuinfo

12. /proc/scsi/scsi

13. /sys/class/dmi/id/bios_vendor

14. /sys/class/dmi/id/product_name

15. /proc/modules

16. Known MAC Address
● VMWare
○ 00:05:69
○ 00:0C:29
○ 00:1C:14
○ 00:50:56
● VirtualBox
○ 08:00:27

17. CPUID Instruction
● Hypervisor bit
○ CPUID instruction with EAX=0x01
○ 31st bit in ECX
● Virtualization vendor string
○ EAX=40000000
○ Strings in EBX, ECX and EDX

18. Hypervisor port - IN Instruction
● Specific for VMware.
● Performs an IN operation to port 0x5658 (the VMware hypervisor port).
○ eax = 0x564D5868 (VMware hypervisor magic value)
○ ebx = 0xFFFFFFFF (UINT_MAX)
○ ecx = 10 (Getversion command identifier)
○ edx = 0x5658 (hypervisor port number)
● Value of register ebx to 0x564D5868 (the VMware hypervisor magic
value).

19. VMEXIT through CPUID Instruction
● Timing based
● Measures time takes to run instruction CPUID.
● Context switch from guest caller to hypervisor causes VMEXIT.
● Summary - Execution on VM`s will take more time!

20. DeViL
● Demonstration tool
● Determines how the current configuration expose itself to malware
● Supports only Linux
● Tested in Ubuntu 16.04

21. DEMO

22. DeViL
@srlkhmi