PREVENTION OF IDENTIFICATION OF VIRTUAL MACHINE ENVIRONMENT ON WINDOWS OPERATING SYSTEM IN VIRTUALBOX BY MALWARE WITH FILESYSTEM, PROCESS, AND WINDOWS MANAGEMENT INSTRUMENTATION MODIFICATION
Anti-virtual machine (anti-VM), a virtual environment detection technique used by malware, is one of many challenges for malware researchers to overcome. This technique is used by malware to evade analysis in virtual machine environments. Whereas a virtual machine (VM) is needed as a media of...
Saved in:
| Main Author: | |
|---|---|
| Format: | Final Project |
| Language: | Indonesia |
| Online Access: | https://digilib.itb.ac.id/gdl/view/55437 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Institut Teknologi Bandung |
| Language: | Indonesia |
| Summary: | Anti-virtual machine (anti-VM), a virtual environment detection technique used by
malware, is one of many challenges for malware researchers to overcome. This
technique is used by malware to evade analysis in virtual machine environments.
Whereas a virtual machine (VM) is needed as a media of analyzing malware in
observing its malicious behavior. With this technique, malware can change its
behavior by being benign or stop its malicious activity so that researchers cannot
perform analysis. To overcome this, we studied anti-VM techniques on malware
and then built a protection method on the VM to avoid malware detection. Through
this approach, the result is the fact that the malware tries to hide its presence by
first checking the parameters that indicate the presence of the VM as a detection
process. These parameters are termed as artifacts. Among the artifacts are
filesystem, process, and WMI. In other words, the malware will operate as it shoulld
be if it cannot find the artifact when it is run. There are different types of artifacts
that malware detects depending on the hypervisor and operating system used. In
this research, a system solution for preventing identification of registry artifacts,
MAC addresses, filesystems, processes, and WMI on VirtualBox with Windows
operating system is offered through modification. However, in this final project
book, the modified system discussed only focuses on three artifacts, specifically
filesystem, process, and WMI.
The modified system was designed and implemented using a Powershell script
which was then integrated in the form of an executable file. System testing is carried
out using two anti-VM tools, those are sems and Pafish so that they can determine
the effectiveness of the system created. The result states that the system has
succeeded in modifying 21 types of filesystem, process, and WMI artifacts in total.
From 21 artifacts, the system has succeeded in hiding 20 types of artifacts from anti
detection by anti-VM tool. In addition, the system has been tested to be applicable
to Windows 7 32-bit and Windows 10 64-bit. |
|---|