The Method And Implementation For Preventing Virtual Environment Detection Based On Performance Comparison

The Industry of Computer Technology is unprecedentedly prosperous. And the Internet is not just providing net service for us, but also making our life, study and work much more convenient than ever before. But we should notice that the development of technique never bring us all good things. A variety of virus, Trojan horse, worm and adware that belong to malware are overflowing on the Internet. The malware now have many different class features to make the security software lose effect. This situation caused enormously damage to our life. We must figure out the principle and result of new malware and find out how to defeat them.Computer security personnel have to get the execution path of the malware sample. They find out the way to defeat this malware and apply it into the security products. To protect their computers security personnel must execute unknown malware in virtual environments. More and more malware can detect the presence of virtual environment, if so, the malware sample changes the execution path and hence security personnel cannot do the analysis. Detection of VMware now can be realized by different methods based on different principles. And thanks to the effort of security personnel, now these traditional methods are out of effect.But no effective intercept is designed for the newly proposed method of virtual environment detection that based on performance comparison. This method first makes some statistics of the time consumption of instruction execution in real OS as a base line, and compares it with the time consumption of work time in present OS. Now no one has claimed to be capable of solving this problem.In this paper, we propose a new method to defeat malware using this virtual environment detection. We developed a plug-in which works in IDA(Interactive Disassembler Professional) in VMware workstation, to complement our goal. We use an effective algorithm to scan the malware sample to verify its type. We manage to modify the value of register that malware use to store the detection result and do not interrupt the execution of the malware sample. And we can make the dynamic analysis of the sample continue int IDA without the exposure of VMware. To testify the effect and efficiency of our method, we make an experiment in IDA using two malware sample and gain very satisfactory results.