Hackers are incorporating virtual machine detection into their Trojans, worms and other malware in order to thwart antivirus vendors and virus researchers, according to a note published this week by the SANS Institute Internet Storm Center.
Researchers often use virtual machines to detect hacker activities.
Virtual machines — software that mimics a computer’s hardware — are useful for virus-testing, explained Roger Thompson, CTO of Exploit Prevention Labs. “You can run a virus to see what it does and then delete it when you are finished,” he told TechNewsWorld.
An increasing number of hackers build code that can detect when their virus is being run on a virtual machine. “This isn’t a terribly new twist, but I have been seeing an increase over the last six weeks,” Thompson added.
“Hackers know there is no real reason why an average computer user would use a virtual machine, as they are about one-third slower,” he explained.
Recently, Thompson tried to download a movie from a suspicious Web site and his rootkit detections did not indicate there was a problem on the virtual machine; however, when he tried to download the movie to a real computer, he said, “they went off like Roman candles.”
Countersurveillance and Spy Craft
The trend is bound to continue, as hackers tend to adopt proven strategies. In response, AV vendors and researchers have stepped up their hacker surveillance activities.
Some malware will look for virtual machine specific memory regions, check for well known VMware device drivers, or look for popular debuggers in the list of names of open windows, Jose Nazario, software and security engineer for Arbor Networks, told TechNewsWorld. “If any of these conditions are true, the malware will assume it’s being watched too closely and will abort,” he said.
Sometimes malware authors will include exploits that attempt to attack a researcher’s computer via a well-known hole, and either crash the application and attempt to ruin the researcher’s work, or execute other commands, he noted.
At other times, the malware will alter course and execute new instructions instead of its normal instructions.
“The latter is possibly the most dangerous for a malware analyst, as they may assume they have seen all that a piece of malware can do and close their report,” Nazario added.
Easy to Detect
The good news is that the AV community does not appear unduly alarmed.
“One advantage for anti-malware protection is that it is often very easy to detect the techniques malware creators are using to uncover whether their code is being executed within a virtual machine,” said Gunter Ollmann, director of X-Force at ISS.
Consequently, researchers examine the malware within a behavioral engine to further identify and protect against malicious code, he added.
For example, an executable e-mail attachment or file download may try to install itself and, as part of that installation process, detect whether or not it is in a virtual environment. If so, it can be identified as likely malware.
“It is easy enough to configure a virtual environment to not appear to be virtual. In the worst case, simple disk imaging techniques can be used that are now as good as running a virtual environment,” said Nazario.
Virus researchers have developed techniques and tools to get around hacker countersurveillance by altering the malware testing environment using unique and custom signatures.
“This will confuse the malware, which is looking for well known VMware signatures or names of popular analyst tools. It will often not think that it is being monitored, so it will behave normally,” Nazario added.
There are other counter measures as well, but they are trade secrets. “Within the malware analyst community, many of these tips and tricks are closely guarded so as to keep one step ahead of the malware authors,” he noted.