2

CPUID is an instruction that identifies CPU type and features.

Has there ever been a case of either targeting or the opposite - ignoring of specific CPUIDs by malware in the wild?

forest
  • 66,706
  • 20
  • 212
  • 270
Sir Muffington
  • 1,611
  • 2
  • 13
  • 25
  • Small nitpick, but CPUID is an instruction that can return quite a bit of information about a CPU depending on the contents of certain registers at the time the instruction is executed. It used to supply a serial number, but not anymore. Now it just gives the general type of the CPU and some features. – forest Mar 22 '22 at 20:56
  • 1
    @forest great point, feel free to edit the question – Sir Muffington Mar 22 '22 at 20:59

1 Answers1

2

Yes, malware sometimes does check CPUID. Reverse engineering of malware has found the use of CPUID as a form of execution guardrails, a technique used by malware to determine whether or not a machine should be targeted. By looking for signs that it is running in a virtual machine (Xen, for example, uses the ASCII string XenVMMXenVMM, exposed via CPUID), malware can attempt to evade reverse engineering or analysis by either refusing to execute, refusing to download a second stage payload, or confusing the analyst by performing dummy actions unrelated to its real purpose.

forest
  • 66,706
  • 20
  • 212
  • 270
  • Aha, so the bad boy Stuxnet used this and beyond as well. Fascinating. Any blue team approach recommended? – Sir Muffington Mar 22 '22 at 20:40
  • @SirMuffington An approach to do what? To fool the malware into thinking that it should run in a VM so that it can be analyzed more easily? – forest Mar 22 '22 at 20:40
  • actually the exact opposite - to fool the malware it's running on bare metal. Not like the malware can really check whether it's running on a genuine CPU if you fake the CPUID, right? – Sir Muffington Mar 22 '22 at 20:43
  • That's what I meant (to fool the malware into thinking it's a VM). And although you can fake CPUID pretty easily as it's one of the few instructions that can be trapped on vmexit, there are many ways to detect the presence of a virtual machine. There are simple ways to try to hide the existence of the VM like this, and there are more complex ways that require modifying the hypervisor code itself. It's fundamentally very difficult to completely hide the existence of a virtual machine, no matter how hard you try. – forest Mar 22 '22 at 20:44