Menu
Malware is less concerned about virtual machines

Malware is less concerned about virtual machines

Symantec finds most malware doesn't quit if it runs on VM, which used to be a sign it was being analyzed

Many malicious software programs used to make a quick exit on virtual machines, a tactic designed to avoid a security check. But that isn't the case anymore, according Symantec research.

As companies increasingly use VMs in operational environments, malware writers are largely trying other methods to avoid detection. It means that simply running VMs won't be enough to scare away malware.

Symantec studied 200,000 malware samples submitted by its customers since 2012. It ran the samples on a VM and a non-VM machine to see which ones would stop working when a VM was detected.

Just 18 percent of malware programs studied stop executing when a VM is detected, wrote Candid Wueest, a threat researcher, in a blog post Tuesday.

"Malware authors want to compromise as many systems as possible, so if malware does not run on a VM, it limits the number of computers it could compromise," Wueest wrote. "So, it should not come as a surprise that most samples today will run normally on a virtual machine."

One trick employed by malware to avoid being booted from a VM by security software is to simply wait, Symantec's report said.

If a new file doesn't act suspicious in the first five or ten minutes, systems will likely decided it is harmless. Other types of malware will wait for a certain number of left mouse clicks before decrypting themselves and launching their payload, Wueest wrote.

"This can make it difficult or impossible for an automated system to come to an accurate conclusion about the malware in a short time frame," according to the report.

The fear is that malware will make its way back to the virtual machines' hosting server. That was the mission of the "Crisis" malware, a Java file distributed through social engineering which ran on Windows and Apple's OS X.

Crisis tried to spread to virtual machines that were stored on a local server, Symantec wrote. It didn't exploit a vulnerability but capitalized on virtual systems simply being a series of files on a host server. A similar style of attack called "Cloudburst" was found in 2009.

Overall, the change in tactics is better for security researchers, since most malware will continue to run and might be detected on a VM. But Symantec advised that to not miss the 18 percent of malware that will quit, real physical hardware should be used in analyses.

For those concerned about VMs, Symantec recommended hardening host servers, vigilant patching of VMs and using antimalware defenses.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags symantecsecuritymalware

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments