Virtual machine detection through Central Processing Unit (CPU) detail anomalies

Abstract

Malware analysts commonly use virtual machines to provide safe environments to study malware. Malware authors in response, include virtual machine detection functions in their malware so it changes its behavior should a virtual machine be detected. It is therefore important for researchers to continuously uncover new virtual machine detection methods that may be exploited by criminals. This thesis explores a method of virtual machine detection that looks for inconsistencies in the following Central Processing Unit (CPU) details: the CPU model, the number of physical cores, the number of logical cores and the cache capacities. Should inconsistencies be detected, a virtual machine is present. We explore our method in scenarios where all CPU cores are assigned to the test virtual machines to determine if inconsistencies exist. In our tests, many of the hypervisors tested possessed inconsistencies that could be used to deduce the presence of a virtual machine.