Attacks on Virtual Machine Emulators

As virtual machine emulators have become commonplace in the analysis of malicious code, malicious code has started to fight back. This paper describes known attacks against the most widely used virtual machine emulators (VMware and VirtualPC). This paper also demonstrates newly discovered attacks on other virtual machine emulators (Bochs, Hydra,
QEMU, and Xen), and describes how to defend against them.

Virtual machine emulators have many uses. For anti-malware researchers, the most common use is to place unknown code inside a virtual environment, and watch how it behaves. Once the analysis is complete, the environment can be destroyed, essentially without risk to the real environment that hosts it. This practice provides a safe way to see if a sample might be malicious.

The simplest attack that malicious code can perform on a virtual machine emulator is to detect it. As more security researchers rely on virtual machine emulators, malicious code samples have appeared that are intentionally sensitive to the presence of virtual machine emulators. Those samples alter their behavior (including refusing to run) if a virtual machine
emulator is detected. This behavior makes analysis more complicated, and possibly highly misleading. Some descriptions and samples of how virtual machine emulators are detected are presented in this paper.

A harsher attack that malicious code can perform against a virtual machine emulator is the denial-of-service; specifically,
this type of attack causes the virtual machine emulator to exit. Some descriptions and samples of how that is done are
presented in this paper.