Whitepaper: Attacks on Virtual Machine Emulators

Peter Ferrie, Senior Principal Researcher at Symantec Advanced Threat Research, published an interesting 13-pages whitepaper about detection techniques malware can apply against quite all current virtualization platforms:

As more security researchers come to rely on virtual machine emulators, malicious code samples have appeared that are intentionally sensitive to the presence of virtual machine emulators. Those samples alter their behavior (including refusing to run) if a virtual machine emulator is detected. This makes analysis more complicated, and possibly highly misleading. Some descriptions and samples of how virtual machine emulators are detected are presented in this paper.

A harsher attack that malicious code can perform against a virtual machine emulator is the denial-of-service, specifically by causing the virtual machine emulator to exit. Some descriptions and samples of how that is done are presented in this paper…

Read the whole paper at source.

In November 2006 SANS Institute already reported about a range of malicious programs recognizing virtual machines and refusing to run inside them.

A more focused discussion about virtualization insecurities is around the popular Blue Pill proof of concept.
In an interview with Anthony Liguori, Software Engineer at IBM Linux Technology Center, virtualization.info provided a different point of view about this question.

Thanks to GridVM for the news.