Malware figures out if it’s running on VMs and refuses to execute

September 23rd, 2016 by Mark Daly in Industry News No Comments »
Malware figures out if it's running on VMs and refuses to execute ilicomm Technology Solutions

Malware writers are looking for the absence of documents to figure out which PCs are potential victims and which are virtual machines being used by white hats.

SentinelOne senior researcher Caleb Fenton found the novel technique while attempting to coax the malware into activating so it could be analysed.

The worm he was working on refused to budge, however, as Fenton’s virtual machine showed no evidence of having opened any Word documents.

“Most users, unless they just installed Word, are going to have opened more than two documents,” Fenton says.

“However, on a testing virtual machine, the software is normally not ‘broken in’.

“If malware can be smart enough to know when it’s being tested in a virtual machine, it can avoid doing anything suspicious or malicious and thereby increase the time it takes to be detected.”

The malware borrows from other variants and cross-references the public IP address of the targeted PC to see if it matches a security vendor or sandbox technology, clamming up if it lands a hit.

Researchers will restore their virtual machines to an earlier fresh state whenever new malware is analysed. This makes it highly likely that word processors will have no history of opening documents should malware check.

A macro will activate on those machines with a document history and download a payload to exploit victim machines.


Leave a Reply

You must be logged in to post a comment.

NEED MORE INFORMATION?Contact us to see how we can help your business

Call our Sales Team on:

+44 (0)121 289 3434

or email us at: