Web-based virtual machine detection with HTML5 features

Here's a quick and simple web-based heuristic to detect a virtual machine (not 100% accurate).

 

Observation 1

1.a A typical virtual machine configuration assigns a guest VM a single (HT) core. Clearly this is not 100% accurate, but in the case of a large-scale virtualization (as is the case of sandboxing/research), it makes a lot of sense.

1.b A typical modern physical machine has multiple (HT) cores. I can't remember when I last saw a physical machine with a single core. Definitely not in the last 5 years.

Corollary: with high accuracy, a single (HT) core machine can be deemed a VM, while a multiple (HT) core machine can be deemed a physical box.

This is not a new outcome. It has been pointed out by researchers, and implemented by malware.

 

Observation 2

With HTML5, it is possible to obtain the number of (HT) cores via Javascript. Either natively, using HTML5's navigator.hardwareConcurrency (presently supported only by Chrome, Safari and Opera), or by the somewhat hacky and unconventional polyfill suggested by Eli Grey. The latter uses another, better supported feature of HTML5 - web workers.

 

Combining the two observations, we now have another way (perhaps not 100% accurate, but quite effective nevertheless) to easily detect VM over the web with Javascript, thanks to some new HTML5 features.

Tags: