Malware figures out it's running on VMs and refuses to execute

[Batu69]

If a PC has just a couple of Word files, crooks figure it's a White-Hat's attack machine

Malware writers are looking for the absence of documents to figure out which PCs are potential victims and which are virtual machines being used by white hats.

SentinelOne senior researcher Caleb Fenton found the novel technique while attempting to coax the malware into activating so it could be analysed.

 

The worm he was working on refused to budge, however, as Fenton's virtual machine showed no evidence of having opened any Word documents.

"Most users, unless they just installed Word, are going to have opened more than two documents," Fenton says.

 

"However, on a testing virtual machine, the software is normally not 'broken in'.

"If malware can be smart enough to know when it's being tested in a virtual machine, it can avoid doing anything suspicious or malicious and thereby increase the time it takes to be detected."

 

The malware borrows from other variants and cross-references the public IP address of the targeted PC to see if it matches a security vendor or sandbox technology, clamming up if it lands a hit.

 

Researchers will restore their virtual machines to an earlier fresh state whenever new malware is analysed. This makes it highly likely that word processors will have no history of opening documents should malware check.

 

A macro will activate on those machines with a document history and download a payload to exploit victim machines.

 

Article source

[straycat19]

2 hours ago, Batu69 said:

The worm he was working on refused to budge, however, as Fenton's virtual machine showed no evidence of having opened any Word documents.

"Most users, unless they just installed Word, are going to have opened more than two documents," Fenton says.

 

Where has this guy been.  We discovered, and I have posted information about this, five years ago.  Some detect the lack of documents and others can plain just detect the fact that it is a VM by looking for known VM specific files, such as dlls, that are loaded in memory.  Using P2V, from a machine that has been taken off line, and scanned with multiple malware scanning engines to ensure it is clean, so that it shows as a normal machine has not avoided the VM detection capabilities of most malware.  In this same respect we also found that this can be used against the malware authors by not keeping any documents on the systems but forcing all of them to network storage and deleting any pointers in the registry periodically during the day to make it look like a VM.  We also wrote a small program that would load VM dlls into memory to trick the malware into thinking it was a VM.  These aren't reasonable actions for most organizations to take but were natural research tests that were done based on our findings. When it comes to securing a system we leave no stone (or should I say byte) unturned.

 

[Batu69]

13 minutes ago, straycat19 said:

Where has this guy been.

 

At least this Fenton guy have proof, websites, contact to show that statement. ..and you? What you have?

 

15 minutes ago, straycat19 said:

We discovered, and I have posted information about this, five years ago

 

Where 'we' has discovered it? Five years ago? why 'we' not report to security news portal?