Running suspicious software in a virtual machine seems like a basic precaution to figure out whether said software contains naughty code. Unfortunately it’s generally rather easy to detect whether or not one’s software runs inside a VM, with [bRootForce] going through a list of ways that a VirtualBox VM can be detected from inside the guest OS. While there are a range of obvious naming issues, such as the occurrence of the word ‘VirtualBox’ everywhere, there many more subtle ways too.
Demonstrated is the PoC ‘malware’ application called Al-Khaser, which can be used to verify one’s anti-malware systems, such as when trying to unleash a debugger on a piece of malware, run it inside a VM, along with many more uses. Among its anti-virtualization features are specific registry key names and values, file system artefacts, directory names, MAC addresses, virtual devices, etc.
In order to squeeze by those checks, [bRootForce] created the vbox_stealth shell script for Bash-blessed systems in order to use the VirtualBox Manager for the renaming of hardware identifier, along with the VBoxCloak project’s PowerShell script that’s used inside a Windows VirtualBox guest instance to rename registry keys, kill VirtualBox-specific processes, and delete VirtualBox-specific files.
Theoretically this should make it much harder for any malware to detect that it’s not running inside Windows on real hardware, but as always there are more subtle ways that are even harder to disguise.
What do we use to detect our universe is running in a VM?
Probably look at fundamental things like distances and time, see if they are quantized at some level. Non-infinite precision of the VM runner and all. You’d also expect the equivalent of drawing distance, like not being able to go faster than a certain speed because the VM needs to be able to keep up. Plus maybe the VM does some lazy execution, which could result in things not being calculated when there’s no observer. If you could find one of these things, I’d think that would be a good hint we’re running on a VM.
Good news everyone!
http://www.imdb.com/title/tt21814946/
The presence of “sudo add-apt-repository multiverse” in any log file is suspicious at the very least.
There’s a finite bit representation, orbital predictions have a small span of accuracy of around 2 million years. Oscillations would be more stable on a computer simulation. If the simulation was on a computer these orbital predictions would be accurate past 2 million years. Then perhaps we could comment on the magnitude computational complexity involved. My comment is pseudo techno jargon babble of course.
I’m looking for any easter eggs the developers left behind.