Hypervisor detection is a pillar of sandbox evasion techniques. While hardware-assisted virtualization solutions are indispensable for scalable dynamic malware analysis, compared to bare-metal machines they all introduce timing discrepancies that expert malware writers may reveal using low-level measurement sequences. Today, the most advanced sandboxes fight such attempts by massaging the values malware can read from classic time sources.
In this talk, we will see how this battle is far from over: by taking advantage of recent developments in microarchitectural research, we will build and exercise two novel hypervisor detection primitives that current anti-evasion approaches seem incapable of handling. The first idea is to build a high-resolution covert time source using a dedicated counter thread that can tick just as accurately as an unpatched TSC counter, often with an even better resolution. We revisit well-known detections from evasive malware and academic works using this new source. The second idea is a prime+probe attack on the last-level cache to detect pollution caused by the execution of the virtual machine monitor from the hypervisor.
An investigation conducted over real-world sandboxes showed that while several classic time evasions seem no longer effective, counter threads can immediately bring them back to life without raising alerts related to time query attempts. Also, microarchitectural attacks do not seem to be on their radars, and may thus be a promising addition to the malware realm.