Detecting & Defeating Split Personality Malware


Virtualization has emerged as a very promising technology in the field of Security Research. Security analysts extensively use virtual machines to analyze sample programs and study them to determine if they contain any malware. In the process, if the malware destabilizes the guest OS, the analysts simply discard it and load in a fresh image. This approach increases their productivity. However, due to the wide acceptance and use of Virtual Environment technology, the malware developers have added a unique functionality to their malware samples. These samples can detect the presence of Virtual Machine (VM). This class of malware is known as Analysis Aware Malware or Split Personality Malware. Since naive users do not run virtual machines, malware authors have observed that it is a pretty good probability that their malware is being analyzed if it is being run in a VM. When the Analysis Aware Malware detect the presence of VMs, they behave in a benign manner thus escaping detection. A determined analyst will have to end up running the sample on a native machine that adds to his chase time. In the first phase of our project, we have amassed the techniques deployed by the Split Personality Malware to detect the VM presence. We developed a tool called VMwareDetect that detects the presence of Virtual Machines in different possible ways. In phase two, we came up with a solution to counter the Split Personality Malware. Our tool, which we call VMDetectGuard, not only detects this category of malware but also fools it into believing that it is running on a native machine even when it is running on a virtualized one, forcing it to exhibit its malicious form. Most security analysts should find this tool really useful.

Technical Guidance

Project Member:

Kalpa Y. Vishnani

  • Software       


    Content with URLs that have the current URL as a prefix has been hosted in accordance with fair use principles, for academic and non-profit purposes. By downloading the contents of this page, you agree to bring possible violation of fair use to my notice before taking legal recourse.