Researchers demonstrate how malware can detect its environment using the trap bit

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

Recently, security researchers demonstrated how the use of the trap bit in x86 processors could inform running malware if it is running in a virtual environment or not. What is the purpose of the trap bit, how can it benefit malware, and what does this mean for future CPU hardware and virtualisation?

In the x86 CPU architecture, the trap bit is a special flag in the EFLAG register that raises an interrupt after completing a single instruction once the flag is set. For example, a piece of machine code would first set the trap flag, execute an instruction, and this would then trigger the CPU to execute a special interrupt that runs a subroutine.

While there is no specific purpose for the trap flag, it is convenient for debugging as it allows for code to be executed step-by-step. Furthermore, the interrupt allows for viewing the CPU contents, including registers, program counter, and stack pointer.

Recently, researchers from Palo Alto Networks demonstrated how the trap bit in x86 processors could be abused by malware to determine if the malware is being executed on a real computer or in a virtual machine. The cause of the exploit lies in how virtual machines emulate the behaviour of the trap flag. If a piece of malware sets the trap flag after executing certain special instructions such as RDTSC and CPUID, the CPU should return to the malware code with the trap bit cleared. While this is the case in real hardware, virtual machines may not catch this and return to the code with the trap bit still set.

The calling of a special instruction sees the CPU handle the interrupt, but if the trap bit is enabled on a basic instruction such as NOP, the malware can use its interrupt handler to detect this. Thus, if the malware interrupt handler is fired with the trap bit set, it knows it is running on a virtual machine. If no exception is thrown, then the malware knows that it is running on a real system.

One practical use of virtualisation is to test unknown code and applications to see how they behave. For example, an individual could find a USB flash drive lying around with no idea what is inside. While one could risk…