Tuesday, August 18, 2009

Web pages Detecting Virtualized Browsers and other tricks

The ability for a Web page to detect if a browser is within a virtualized environment has a number of interesting applications. Malware distributors could serve their payload only to likely victims and avoid analysis from detection engines. One super simple way to do so is by checking the screen dimensions (1024×768, 1440×900, etc.) using JavaScript. For example, while in windowed (not full screen) VMWare, the nonstandard pixel width and height of the viewer’s screen is a dead giveaway of virtualization. To see for yourself view this page in VMWare, resize the outer window, and click the button below. You might get something weird like 1070x676. See screenshot.

<* input type="button" value="Show screen resolution" onclick="alert('Your resolution is ' + screen.width + 'x' + screen.height);">

The limitation is that malware detection engines, like those run by the anti-malware firms, Google and Microsoft, probably operate with standard resolution settings or in headless full-screen mode. Anyone know if a virtualized browser with no display still has a DOM screen property? I'm sure it probably does, but is the default full-screen mode? Even still this trick might be just enough for nefarious search engine optimizers (SEOs) to tell if sentient insiders of major search engines or affiliate networks are snooping around. They’d be able to dynamically remove telltale signs of cheating like cookie-stuffing and cloaking that get them banned.

MAC Addresses are another way for a Web page to determine if a browser is being virtualized because they are unique identifiers assigned to network adapters. The first three of six octets represent a hardware manufacturer, which includes VMWare (00-0C-29, 00-1C-14, 00-50-56, etc). While there is no known way for JavaScript to access MAC addresses, grandpa’s Java Applets can. The “MAC Address Java Applet” by Tim Desjardins works great on Internet Explorer 6/7/8, Chrome, and Firefox on Windows XP. See screenshots.

OS X does not seem to be supported, but that could probably be remedied. All the browsers auto-loaded the applet except IE8, which requires user permission. I believe in most cases the automated malware detection engines running IE8 would explicitly grant permission to increase the odds of getting infected. It is also possible these guys spoof their MAC Address, but I’m sure not everyone does so religiously. Another question is if Flash, ActiveX, or Silverlight have non-user permissions wags to obtain MAC Addresses.

Beyond virtualization there are yet more ways for the bad guys to differentiate between casual users and everyone else. Earlier this year Collin Jackson and I demonstrated Private Browsing Mode detection. By leveraging the well-known CSS color history hack, if the URL of the current page is not “visited,” chances are a non-default security measure is blocking it. The CSS color history hack can also be combined with leaked Intranet hostnames, particularly those of Google, Yahoo, and Microsoft. Hosts only insiders could have visited. And finally, if the client is using Firefox and JavaScript is disabled, detectable in a number of ways (CSS, noscript tags, JS enabled property, etc.), chances are NoScript plug-in is the culprit. All of which are solid indications that the client is not the average user.

Happy Surfing!


Christian "@xntrik" Frichot said...

Wade Alcorn's BeEF has a module for VM detection in specific circumstances.

Pretty cool stuff.

size trick said...

Google images search uses this java-script to determine and then search for screen size images.

You can find this functionality here : http://images.google.com/advanced_image_search

Courtesy :