Friday, April 10, 2009

Detecting VMware with JavaScript (or how to waste your time with pointless exercises)


So a thread on ethicalhacker.net discussed some JavaScript tricks that web exploit kits are using to screw with analysts looking at the malicious sites and js. Today most analysts will use a debugger or interpreter like Rhino or Malzilla. Well, the site authors are starting to add code to either cause the script to exit when run in one of the interpreters or to do more malicious stuff like delete files and such. [original article]

One of the questions asked was if it was possible, or currently being implemented by malware authors, to use JavaScript to detect if the browser was inside a virtual machine. Before I continue let me say that this is completely pointless from a malware perspective. Detecting the presence of a vm using client side JavaScript is just silly. Not hard to bypass. Just comment it out and move on. Now if this could be done server side then perhaps it might have value. Still pointless though.

Anyway I wondered if you could do it using JavaScript and so wasted way too much time on getting it to work. I guess you could do this in Java but regardless of how you do it the user will need to interact with your script to run it. If there is a way to bypass that requirement then let me know.

There are various methods out there for detecting vm's but for this example I figured I'd keep it simple and use the MAC address as an indicator. VMware has their own OUI for the MAC addresses that are dynamically generated when you install VMware Workstation. The OUI is different for VMware Player but I focused on Workstation. I figured that an ActiveX object would be the easiest way to go to determine the MAC and if it matched the OUI then to alert.

After fooling around a bit I came up with this:

</script language="javascript">
function vmDetect(){
var o = new ActiveXObject("WbemScripting.SWbemLocator");
var s = o.ConnectServer(strServer = ".");
var a = s.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration");
var e = new Enumerator(a);
var mac = [];
var regex = /(00:50:56).*/; //OUI of VMware's dynamically generated MAC address.

for (;!e.atEnd();e.moveNext()){ //Loop over Adapter properties.
var x = e.item();
if(x.MACAddress){
mac[mac.length] = x.MACAddress;
}
}
for (var i=0; i<mac.length; i++) {
if (mac[i].match(regex)) {
alert("ohnes! you're in a virtual machine");
exit();
}
}
}
</script>

Basically the script uses the ConnectServer method of the SWbemLocator object to get the SWbemServices ExecQuery method to return an object. In this case we are querying the Win32_NetworkAdapterConfiguration WMI class to return the properities of the network adapters on the system. Once we have these values we, quite unnecessarily, add the MACAddress values to an array and then iterate through the array alerting on the first string that matches the regular expression we created.

You don't really need the array. You could remove the array and just do:

if (x.MACAddress.match(regex)) {
alert("ohnes! you're in a virtual machine");
exit();
}

So yes, you can use JavaScript, or in my case bad JavaScript, to determine, at a basic level, if you're in a vm. But like I said. It's kinda pointless. :)

/dean
dean de beer

5 comments:

Julien Bernard said...

Hi,
This is not silly at all! In some organizations, you may have some policies forbidding installation and usage of virtual machines. Adding your code in the company's intranet front page can be used as one tool to detect such installations.

mszafran said...

You've missed a couple of the VM MAC ranges. They have:
"00-05-69"
"00-0C-29"
"00-50-56"

For a couple of other simple checks you can also see if there are any 'vmware' services running or vmtools installed.

Didn't I send you some .Net code a while back to do these?

dean de beer said...

@Julien Bernard,

Thanks, I use similar methods in some organizations for 3rd party software and plugins, etc... where I correlate the results between web-based malware/exploits and versions of software running to determine infected systems. Not ideal but great if the systems are unmanaged.

I really was only saying it was pointless from a malware authors perspective as it's done client-side and at that point does not have much value.

@mszafran, yea, I know. I'm lazy. :) I figured if anyone used it they could just add the remaining ones themselves. I really just wanted to see if JS could be used to detect vmware simply. I think I have the .NET snippets lying around somewhere. I'd forgotten about those. Thanks for the reminder. Cheers.

Anonymous said...

2dean de beer

hey, it can be some dumb question, i didnt quite understood the post :) *not native english speaker*

so u say that if i enter some site it can detect if im currently in vmware or not? is there 99% secure way to protect myself from detection? not only this kind of detection... :) and what other scripts webmaster can use to detect if visitors came from vmware? tnx

begueradj said...

Is the VM used to detect JS malware a Windows or Linux system ?