Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

Bare Metal - Golden Hardware

Published on: 19.10.2017



 Joe Sandbox enables analysts to execute and analyze malware on Bare Metal machines. What is Bare Metal and why does it matter? No, it is not the cool Bare Metal hot rod above, but it has a similar performance!

Dynamic malware analysis systems (so-called sandboxes) execute malware samples on a segregated machine and capture the runtime of the behavior. Sandbox vendors use different types of analysis machines:

Virtual Machines

Virtual Machines (VMs) are the most common. They run inside VirtualBox, VMware, KVM or Xen - the top four virtualization solutions. VMs typically run on hardware with hardware virtualization. Hardware virtualization helps to run multiple operating systems efficient and secure on the same physical machine. Although a VM can run hardware virtualized it is not equal to Bare Metal.



Qemu (Full System Emulation)

 Qemu is a machine emulator. The hardware has been fully implemented in software, including the CPU, disk, video card etc.


Bare Metal 

 Bare Metal is referring to using a physical device for analysis, e.g. a laptop or PC directly purchased from the local hardware store.



Bare Metal is King

So does it matter if a malware is executed on a VM, Qemu or Bare Metal? It does a lot! The "normal" execution environment of malware is always on Bare Metal. Your employee laptop does not run on a VM or Qemu. Malware exploits that fact by checking if it is running on Bare Metal. If it is not running on Bare Metal it simply does not show any malicious behavior. As a result, the sandbox will not detect any malicious activities, plus will wrongly classify the file as clean:


How difficult is it for malware to detect a VM or Qemu? Very simple. How hard is it to make a VM or Qemu look like a Bare Metal machine? Practically not feasible. There are scripts around to remove some of the vendor brands and strings, however, that is just the tip of the iceberg.

To prove that let us execute the tool HWInfo (displays the hardware configuration of the machine) both on a KVM virtual machine, and a Bare Metal machine:

KVM

The full HWInfo report on KVM is available here.

Bare Metal


We have summarized some of the outliers below:



As you see there are many differences. The table just lists some outliers for hardware devices. However, malware could also check and compare the performance of the machines, e.g. the GPU.

 KVM

Bare Metal


Again, there are big differences. And again, making the KVM VM equal to Bare Metal is practically not feasible.

Joe Sandbox, no restriction for Bare Metal analysis

Joe Sandbox does not restrict you to analyze malware on a particular virtualization solution or device. You are free to choose on which kind of machine to analyze:

  • Modern Bare Metal Laptop
  • Modern Bare Metal PC
  • Mac Mini
  • Mac Book Pro
  • Bare Metal Android Phone (e.g. Motorola G3)
  • iPhone
If you use Bare Metal machines you leave malware no chance for detection. Detection techniques which are successful for KVM, VirtualBox, VMware, Xen and Qemu will fail since the malware is executed on a real device. So if you already have a sandbox or are looking to get one, then ask yourself: is Bare Metal analysis supported? Or is the sandbox solely based on KVM, VirtualBox, Qemu or Xen?

Golden Image - Golden Hardware


With Joe Sandbox you are not only free to choose the target analysis machine but also the operating system, its configuration and installed applications. Again there is no restriction, you can install any software. 


With Joe Sandbox you get the ability to analyze malware on a Golden Image on Golden Hardware!

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!