Malware is less concerned about virtual machines

Symantec finds most malware doesn't quit if it runs on VM, which used to be a sign it was being analyzed

Many malicious software programs used to make a quick exit on virtual machines, a tactic designed to avoid a security check. But that isn't the case anymore, according Symantec research.

As companies increasingly use VMs in operational environments, malware writers are largely trying other methods to avoid detection. It means that simply running VMs won't be enough to scare away malware.

Symantec studied 200,000 malware samples submitted by its customers since 2012. It ran the samples on a VM and a non-VM machine to see which ones would stop working when a VM was detected.

Just 18 percent of malware programs studied stop executing when a VM is detected, wrote Candid Wueest, a threat researcher, in a blog post Tuesday.

"Malware authors want to compromise as many systems as possible, so if malware does not run on a VM, it limits the number of computers it could compromise," Wueest wrote. "So, it should not come as a surprise that most samples today will run normally on a virtual machine."

One trick employed by malware to avoid being booted from a VM by security software is to simply wait, Symantec's report said.

If a new file doesn't act suspicious in the first five or ten minutes, systems will likely decided it is harmless. Other types of malware will wait for a certain number of left mouse clicks before decrypting themselves and launching their payload, Wueest wrote.

"This can make it difficult or impossible for an automated system to come to an accurate conclusion about the malware in a short time frame," according to the report.

The fear is that malware will make its way back to the virtual machines' hosting server. That was the mission of the "Crisis" malware, a Java file distributed through social engineering which ran on Windows and Apple's OS X.

Crisis tried to spread to virtual machines that were stored on a local server, Symantec wrote. It didn't exploit a vulnerability but capitalized on virtual systems simply being a series of files on a host server. A similar style of attack called "Cloudburst" was found in 2009.

Overall, the change in tactics is better for security researchers, since most malware will continue to run and might be detected on a VM. But Symantec advised that to not miss the 18 percent of malware that will quit, real physical hardware should be used in analyses.

For those concerned about VMs, Symantec recommended hardening host servers, vigilant patching of VMs and using antimalware defenses.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Tags symantecsecuritymalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?