Thursday, August 23, 2012

Modifying VirtualBox settings for malware analysis

If you are using VirtualBox for malware analysis,  either with a sandbox like Cuckoo or stand alone. You probably would like to be able to run modern malware even those samples that are VM aware.

Here are a few tips to make your VirtualBox guest somewhat harder to detect.

First run dmidecode on your host (I assume it's a Linux based one, but this can be performed on other OSes as well)

#dmidecode -t0
#dmidecode -t1

You will get an output that looks something like this:

BIOS Information
  •     Vendor: <vendor>
  •     Version: <BIOS version>
  •     Release Date: <BIOS date>
System Information
  •     Manufacturer: <vendor>
  •     Product Name: <product>
  •     Version: <hw "version">
  •     Serial Number: <S/N>
  •     UUID: <UUID>
  •     Wake-up Type: Power Switch
  •     SKU Number: Not Specified
  •     Family: <"hw "version">
To make it easier to apply these settings on several guest's, create a script that
contains the following commands:
(Populate the values with information from the Dmidecode output above)

VBoxManage setextradata  "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor"        "<vendor>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion"       "<BIOS version>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate"   "<BIOS date"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor"  <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor"  <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor"      "<vendor>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct"     "<product>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion"     "<product>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial"      "<S/N>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU"         "Not Specified"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily"      "<"hw version">"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid"     "<UUID>"


Also:
  • Change MAC address:     
 VBoxManage modifyvm "<vm name>" --macaddressX <MAC>
  •  Change disk settings:
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber"  "<serial>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "<firmware>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "<model>"

  • Detach CDROM (or change settings for the CD-ROM)
  • Don't install vbox tools! 
Use:" VBoxManage getextradata "<vm name>"  enumerate " to review your settings.

/Micke

Update1:

Untested but might be useful..
VBoxManage setextradata "VM name" "VBoxInternal/TM/TSCTiedToExecution" 1


11 comments:

  1. Good info, but you are missing some parameters:

    http://www.virtualbox.org/manual/ch09.html#changedmi

    ReplyDelete
    Replies
    1. Hi you are correct. I have not updated the blog post in a while. Which I might have to do. The missing settings I guess were added in newer version. It seems like as time progress more values are being able populate from the host to the guest which is great. Thanks for you comment!

      Delete
  2. Hello Mikael,

    I have tried the changes but the virtual machine seems no to get them even been correctly applied, checked with enumerate.

    Any idea?

    The vm is a windows xp sp3.

    Thanks for your time

    ReplyDelete
    Replies
    1. Hi Janus,

      Sorry for my late reply. Which version of VBox are you using?

      Delete
    2. I am having the same issue. Ubuntu 13.04 host running Windows XP SP2 inside of VirtualBox 4.2.10. I run the setextradata command to change the vendor and version for DMI Type 0, and when I run dmidecode in the XP guest, the BIOS info still shows innotek GmbH and VirtualBox for the vendor and version.

      Delete
    3. Hi,
      I will post an update regarding how to modify VBox, give me a few days to finish it. The setup is the same as the one you describe so hopefully your issue will be resolved.
      Otherwise please let me know!

      /Micke

      Delete
  3. Thnx for a nice tutorial (and all over top notch blog entries)!

    //B. September

    ReplyDelete
  4. Does not work in VirtualBox 4.3.28, ubunit 14.0.2

    ReplyDelete
  5. enumerate shows values when queried with vboxmange, but inside the machine, dmidecode shows default values

    dmidecode 2.12
    SMBIOS 2.5 present.

    Handle 0x0000, DMI type 0, 20 bytes
    BIOS Information
    Vendor: innotek GmbH
    Version: VirtualBox
    Release Date: 12/01/2006
    Address: 0xE0000
    Runtime Size: 128 kB
    ROM Size: 128 kB
    Characteristics:
    ISA is supported
    PCI is supported
    Boot from CD is supported
    Selectable boot is supported
    8042 keyboard services are supported (int 9h)
    CGA/mono video services are supported (int 10h)
    ACPI is supported
    From enumerate

    Key: GUI/LastNormalWindowPosition, Value: 392,25,1204,841
    Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor, Value: 3
    Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor, Value: 4
    Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate, Value: 06/25/2013
    Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor, Value: 1
    Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor, Value: 2
    Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor, Value: Dell Inc.
    Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion, Value: string:Version A16

    ReplyDelete
  6. Hi,

    The latest version of the script is available on Github, please try that one and please apply the setting before your first boot of the vm. If you don't get it to work please let me know.

    https://github.com/nsmfoo/antivmdetection

    Regards
    Mikael @nsmfoo

    ReplyDelete