Menu
Malware is less concerned about virtual machines

Malware is less concerned about virtual machines

Symantec finds most malware doesn't quit if it runs on VM, which used to be a sign it was being analyzed

Many malicious software programs used to make a quick exit on virtual machines, a tactic designed to avoid a security check. But that isn't the case anymore, according Symantec research.

As companies increasingly use VMs in operational environments, malware writers are largely trying other methods to avoid detection. It means that simply running VMs won't be enough to scare away malware.

Symantec studied 200,000 malware samples submitted by its customers since 2012. It ran the samples on a VM and a non-VM machine to see which ones would stop working when a VM was detected.

Just 18 percent of malware programs studied stop executing when a VM is detected, wrote Candid Wueest, a threat researcher, in a blog post Tuesday.

"Malware authors want to compromise as many systems as possible, so if malware does not run on a VM, it limits the number of computers it could compromise," Wueest wrote. "So, it should not come as a surprise that most samples today will run normally on a virtual machine."

One trick employed by malware to avoid being booted from a VM by security software is to simply wait, Symantec's report said.

If a new file doesn't act suspicious in the first five or ten minutes, systems will likely decided it is harmless. Other types of malware will wait for a certain number of left mouse clicks before decrypting themselves and launching their payload, Wueest wrote.

"This can make it difficult or impossible for an automated system to come to an accurate conclusion about the malware in a short time frame," according to the report.

The fear is that malware will make its way back to the virtual machines' hosting server. That was the mission of the "Crisis" malware, a Java file distributed through social engineering which ran on Windows and Apple's OS X.

Crisis tried to spread to virtual machines that were stored on a local server, Symantec wrote. It didn't exploit a vulnerability but capitalized on virtual systems simply being a series of files on a host server. A similar style of attack called "Cloudburst" was found in 2009.

Overall, the change in tactics is better for security researchers, since most malware will continue to run and might be detected on a VM. But Symantec advised that to not miss the 18 percent of malware that will quit, real physical hardware should be used in analyses.

For those concerned about VMs, Symantec recommended hardening host servers, vigilant patching of VMs and using antimalware defenses.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags symantecsecuritymalware

Featured

Slideshows

Reseller News launches inaugural Hall of Fame lunch

Reseller News launches inaugural Hall of Fame lunch

Reseller News welcomed 2015 and 2016 inductees - Darryl Swann, Dave Rosenberg, Gary Bigwood, Keith Watson, Mike Hill and Scott Green - to the inaugural Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed how the channel can collectively work together to benefit New Zealand, the Kiwi skills shortage and the future of the industry. Photos by Maria Stefina.

Reseller News launches inaugural Hall of Fame lunch
Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Show Comments