GCIH Question #417: Real Exam Question with Answer & Explanation

The correct answer is D: Public Web Server. The Public Web Server is the only answer-option that is a virtual machine. If malware that is designed to go dormant when it detects a shifted interrupt descriptor table hits the Public Web Server, a virtual machine, it will go dormant. This question is about Red Pill; which is u

Malware Analysis & Advanced Persistent Threats

Question

An attacker designs malware to remain dormant when it detects a shifted interrupt descriptor table. On which of the following hosts would this malware remain dormant?

Exhibit

Options

AIntranet Web Server
BL3 Core Switch
CSnort Sensor
DPublic Web Server

Explanation

The Public Web Server is the only answer-option that is a virtual machine. If malware that is designed to go dormant when it detects a shifted interrupt descriptor table hits the Public Web Server, a virtual machine, it will go dormant. This question is about Red Pill; which is used to detect when it is on a VM guest (not a host with various VM guest on it). Because so many security researchers rely on VM guest(s) to analyze malicious code, malware developers are actively trying to foil such analysis by detecting if they are on a VM guest. If malicious code detects that it is on a VM guest, it can shut off some of its more powerful malicious functionality so that researchers cannot observe it and devise defenses. Looking for VM artifacts in memory, a technique used by Joanna Rutkowska's Red Pill to look for a shifted Interrupt Descriptor Table, a critical data structure in the operating system (a similar technique is used by Tobias Klein's Scoopy tool to look for shifted Interrupt, Global, and Local Descriptor

Topics

#VM detection#interrupt descriptor table#anti-analysis#malware evasion

Community Discussion

No community discussion yet for this question.

Full GCIH Practice