Masking revealing hardware attributes in the source code of a hypervisor : A study exploring strategies to hide the identity of virtual environments during malware analysis

Abstract: Background: Malware is responsible for a significant part of the ever increasing cost of cyberattacks. Malware analysis is an important part in minimizing these costs. Because of the malicious nature of malware, it has to be executed in a safe and isolated environment during dynamic analysis to not cause harm to a live system, which is why Virtual Machines (VM) or Sandboxes are popular solutions. However, because malware developers actively try to evade analysis of their malware, some use, among other things, hardware attributes to reveal the environment as an analysis environment. Objectives: The aim of this thesis is to investigate which hardware attributes can be used to detect virtual environments and how they can be masked in the source code of hypervisors. Methods: We conducted a literature review to explore what indicators of virtual environments were already known. Then, we examined the known artifacts to see which artifacts can be used to reveal QEMU/KVM and VirtualBox. Using this information we tried to mask the artifacts on QEMU/KVM using values which do not indicate a virtual environment. To evaluate our masking strategy we conducted a controlled experiment.  Results: The literature review resulted in 72 unique artifacts related to hardware. Most of these unique artifacts are identifiers such as manufacturer and product name. We created an attribute collection script, designed to gather data from QEMU/KVM and VirtualBox on 58 out of the 64 unique hardware artifacts. This script was executed in multiple environments and the data gathered from each environment was compared with each other in order to filter out non-artifacts. This resulted in 40 revealing artifact devices and 26 registry keys for QEMU/KVM and 25 artifact devices and 13 registry keys on VirtualBox. Out of these we attempted to mask 25 devices and 22 keys. Our results showed that we had successfully masked 23 out of the 25 devices and all the registry keys. Conclusions: Our results show that most hardware artifacts can be masked and that our whitelist method is a viable strategy to accomplish that.