Sign in / up

back to article Malware figures out it's running on VMs and refuses to execute

Malware writers are looking for the absence of documents to figure out which PCs are potential victims and which are virtual machines being used by white hats. SentinelOne senior researcher Caleb Fenton found the novel technique while attempting to coax the malware into activating so it could be analysed. The worm he was …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Brian Miller

    Hide, hide, hide ...

    Behind paranoid eyes.

    Yes, the wondrous cat-and-mouse game! Remember when the malware would just look in the registry to figure out if it was running on a virtual machine? Now it's using limited heuristics. Anybody want to guess when malware will be coming in phases, a part A and B?

    6 0 Reply
    1. Charles 9
      Reply Icon

      Re: Hide, hide, hide ...

      And that's only because the malware doesn't have a Red Pill payload: one specifically designed to be run in a VM to break out and attack the hypervisor...

      4 0 Reply
      1. AustinTX
        Reply Icon

        Re: Hide, hide, hide ...

        A better Red Pill payload would be a marginally effective "real" payload which puts on a reasonable performance and distracts researchers for weeks or years. Probably been going on this way for years. Gewd Jorb, researchers!

        0 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Hide, hide, hide ...

      "Remember when the malware would just look in the registry to figure out if it was running on a virtual machine?"

      What is this 'registry' of which you speak ?

      10 2 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        >> What is this 'registry' of which you speak ?

        It's a rhetorical device, mostly used to prompt any *nix obsessives to start galloping around on their favourite hobby-horses rather than engaging with the actual topic at hand...

        27 4 Reply
      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Hide, hide, hide ...

        >What is this 'registry' of which you speak ?

        An hierarchical database, invariably corrupt, within which low-level settings are retained by the 'Windows' operating system much favoured by plebeians M'lud.

        12 3 Reply
        1. Destroy All Monsters Silver badge
          Reply Icon

          Re: Hide, hide, hide ...

          That "Red Pill" thing is pretty hypothetical. Like a "black oil" payload, it excites the Fox Mulders mainly.

          3 0 Reply
      3. Ken Hagan Gold badge
        Reply Icon

        Re: Hide, hide, hide ...

        "What is this 'registry' of which you speak ?"

        It's a copy of the /etc filesystem, but with all the files pre-parsed so that every program under the sun *doesn't* have to contain full text parsing logic just to configure a few items.

        9 0 Reply
    3. groovyf
      Reply Icon

      Re: Hide, hide, hide ...

      thumbs-up for the Floyd reference...

      4 0 Reply
      1. Sir Runcible Spoon
        Reply Icon

        Re: Hide, hide, hide ...

        They could also just check to see how many CPU's are available to the OS. Not bullet-proof obviously but it could thin the numbers. Combined with other tell-tales it could end up being quite difficult to trick the malware into running.

        2 0 Reply
  2. MrDamage Silver badge

    OpenOffice/LibreOffice

    Have joined adblocking software as not just being a utility, but valid security software.

    17 2 Reply
  3. Paul Shirley

    ummm

    More detail please.

    Does it have to be Word opening them?

    What if you delete the history regularly?

    Which history is it checking anyway?

    3 0 Reply
    1. lansalot
      Reply Icon

      Re: ummm

      Most-Recently-Used, most likely...

      There's a lot of MRU lists populated in your typical windows installation - recent word, excel, publisher documents. Recent jpegs opened, recent folders visited, network locations browsed, internet history etc. Lots of places that a "real" machine will populate with evidence of actual work.

      5 0 Reply
  4. Marcus Fil

    So..

    not too difficult to script a 'lived-in' profile installer on your honey trap VM, or a cleaning script on your work PC. Interesting escalation in the war on malware.

    4 0 Reply
    1. Charles 9
      Reply Icon

      Re: So..

      But each program you're forced to add in raises the threat envelope, because each app could itself become a vector, raising the chance the VM can jump the tracks and get pwned in a way the researcher doesn't detect, even to the point of possible hyperjacking (Red Pill attack).

      0 0 Reply
      1. Updraft102
        Reply Icon

        Re: So..

        "each app could itself become a vector, raising the chance the VM can jump the tracks and get pwned in a way the researcher doesn't detect..."

        I'd still rather have that happen on a researcher's machine (where it bears a better-than-average chance of being detected) than on the average person's.

        0 0 Reply
        1. Charles 9
          Reply Icon

          Re: So..

          Lower risk, yes, but higher reward as well, so there will be blokes out there trying to escape the honeypots.

          0 0 Reply
  5. Prst. V.Jeltz Silver badge

    they obviously need to take an image of an average users machine, riddled with adware and toolbars.

    8 0 Reply
    1. Charles 9
      Reply Icon

      That would be something if malware will only infect if it detects another malware in the system, at the risk of missing pristine systems.

      0 0 Reply
  6. Anonymous Coward
    Anonymous Coward

    Saved our bacon

    Posted anon for obv reasons...

    We run our whole Windows\Citrix desktop environment in VMware.

    Cerber (or Cerber2) got in somehow, executed on a Citrix desktop, checked the machine's PCI devices for known VMware devices, found them, terminated itself before doing anything more than changing the user's desktop to a standard 'All your base are belong to us' message asking for money and providing links.

    Bullet dodged.

    Or from it's point of view - gun, meet shoe.

    Appsense Application Manager shall be deployed quick time to avoid this in future!

    5 0 Reply
  7. Version 1.0 Silver badge

    Cruft Force 2 required

    This seems a simple thing to fix - just let Verity at your test machine for a few hours.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like