enables analysts to execute and analyze malware on Bare Metal machines. What is Bare Metal and why does it matter? No, it is not the cool Bare Metal hot rod above, but it has a similar performance!
Dynamic malware analysis systems (so-called sandboxes) execute malware samples on a segregated machine and capture the runtime of the behavior. Sandbox vendors use different types of analysis machines:
Virtual Machines (VMs) are the most common. They run inside VirtualBox
- the top four virtualization solutions. VMs typically run on hardware with hardware virtualization. Hardware virtualization helps to run multiple operating systems efficient and secure on the same physical machine. Although a VM can run hardware virtualized it is not equal to Bare Metal.
Qemu (Full System Emulation)
is a machine emulator. The hardware has been fully implemented in software, including the CPU, disk, video card etc.
Bare Metal is referring to using a physical device for analysis, e.g. a laptop or PC directly purchased from the local hardware store.
Bare Metal is King
So does it matter if a malware is executed on a VM, Qemu or Bare Metal? It does a lot! The "normal" execution environment of malware is always on Bare Metal. Your employee laptop does not run on a VM or Qemu. Malware exploits that fact by checking if it is running on Bare Metal. If it is not running on Bare Metal it simply does not show any malicious behavior. As a result, the sandbox will not detect any malicious activities, plus will wrongly classify the file as clean:
How difficult is it for malware to detect a VM or Qemu? Very simple. How hard is it to make a VM or Qemu look like a Bare Metal machine? Practically not feasible. There are scripts
around to remove some of the vendor brands and strings, however, that is just the tip of the iceberg.
To prove that let us execute the tool HWInfo
(displays the hardware configuration of the machine) both on a KVM virtual machine, and a Bare Metal machine:
The full HWInfo report on KVM is available here
We have summarized some of the outliers below:
As you see there are many differences. The table just lists some outliers for hardware devices. However, malware could also check and compare the performance of the machines, e.g. the GPU.
Again, there are big differences. And again, making the KVM VM equal to Bare Metal is practically not feasible.
Joe Sandbox, no restriction for Bare Metal analysis
Joe Sandbox does not restrict you to analyze malware on a particular virtualization solution or device. You are free to choose on which kind of machine to analyze:
- Modern Bare Metal Laptop
- Modern Bare Metal PC
- Mac Mini
- Mac Book Pro
- Bare Metal Android Phone (e.g. Motorola G3)
If you use Bare Metal machines you leave malware no chance for detection. Detection techniques which are successful for KVM, VirtualBox, VMware, Xen and Qemu will fail since the malware is executed on a real device. So if you already have a sandbox or are looking to get one, then ask yourself: is Bare Metal analysis supported? Or is the sandbox solely based on KVM, VirtualBox, Qemu or Xen?
Golden Image - Golden Hardware
With Joe Sandbox you are not only free to choose the target analysis machine but also the operating system, its configuration and installed applications. Again there is no restriction, you can install any software.
With Joe Sandbox you get the ability to analyze malware on a Golden Image on Golden Hardware!
Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic
or contact us for an in-depth technical demo!