Hackers Use Virtual Machine Detection To Foil Researchers - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications
News
11/20/2006
11:02 AM
50%
50%

Hackers Use Virtual Machine Detection To Foil Researchers

The tactic is designed to thwart researchers who use virtualization software, notably that made by VMware, to quickly and safely test the impact of malicious code.

Hackers are adding virtual machine detection to their worms and Trojans to stymie analysis by anti-virus labs, a security research said Sunday.

The tactic is designed to thwart researchers who use virtualization software, notably that made by VMware, to quickly and safely test the impact of malicious code. Researchers will often run malware in a virtual machine to protect the system's actual operating system from infection; virtualization software also lets analysts test malware against multiple operating systems on a single computer.

"Three out of 12 malware specimens recently captured in our honeypot refused to run in VMware," said Lenny Zeltser, an analyst at SANS Institute's Internet Storm Center (ISC) in an online note Sunday.

Malware writers use a variety of techniques to detect virtualization, including sniffing out the presence of VMware-specific processes and hardware characteristics, said Zeltser. "More reliable techniques rely on assembly-level code that behaves differently on a virtual machine than on a physical host," he added.

Researchers can fight back, Zeltser said, by patching the malicious code so that the virtual machine routine(s) never executes, or by modifying the virtual machine to make it more difficult for malware to detect that it's running in a virtual environment.

Two other ISC researchers, Tom Liston and Ed Skoudis, spelled out anti-detection techniques at a recent SANS conference. The paper can be downloaded from the ISC site as a PDF file.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
News
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
Slideshows
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Slideshows
Flash Poll