Menu
Malware is less concerned about virtual machines

Malware is less concerned about virtual machines

Symantec finds most malware doesn't quit if it runs on VM, which used to be a sign it was being analyzed

Many malicious software programs used to make a quick exit on virtual machines, a tactic designed to avoid a security check. But that isn't the case anymore, according Symantec research.

As companies increasingly use VMs in operational environments, malware writers are largely trying other methods to avoid detection. It means that simply running VMs won't be enough to scare away malware.

Symantec studied 200,000 malware samples submitted by its customers since 2012. It ran the samples on a VM and a non-VM machine to see which ones would stop working when a VM was detected.

Just 18 percent of malware programs studied stop executing when a VM is detected, wrote Candid Wueest, a threat researcher, in a blog post Tuesday.

"Malware authors want to compromise as many systems as possible, so if malware does not run on a VM, it limits the number of computers it could compromise," Wueest wrote. "So, it should not come as a surprise that most samples today will run normally on a virtual machine."

One trick employed by malware to avoid being booted from a VM by security software is to simply wait, Symantec's report said.

If a new file doesn't act suspicious in the first five or ten minutes, systems will likely decided it is harmless. Other types of malware will wait for a certain number of left mouse clicks before decrypting themselves and launching their payload, Wueest wrote.

"This can make it difficult or impossible for an automated system to come to an accurate conclusion about the malware in a short time frame," according to the report.

The fear is that malware will make its way back to the virtual machines' hosting server. That was the mission of the "Crisis" malware, a Java file distributed through social engineering which ran on Windows and Apple's OS X.

Crisis tried to spread to virtual machines that were stored on a local server, Symantec wrote. It didn't exploit a vulnerability but capitalized on virtual systems simply being a series of files on a host server. A similar style of attack called "Cloudburst" was found in 2009.

Overall, the change in tactics is better for security researchers, since most malware will continue to run and might be detected on a VM. But Symantec advised that to not miss the 18 percent of malware that will quit, real physical hardware should be used in analyses.

For those concerned about VMs, Symantec recommended hardening host servers, vigilant patching of VMs and using antimalware defenses.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags securitymalwaresymantec

Featured

Slideshows

Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Show Comments