Evasive Malware Detects and Defeats Virtual Car Assay
OCT 24, 2016
Avant-garde malware solutions (“sandboxes”) traditionally use virtual machines (VM) to analyze suspicious objects to notice out if they are malicious. Nevertheless, avant-garde malware is capable of detecting the presence of the virtual machine technology used by conventional sandboxes and leveraging this weakness to evade detection.
Sandbox technologies typically leverage VM environments like VMware, Xen, Parallels/Odin and VDI. This allows a user or an administrator to run 1 or more “guest” operating systems on top of another “host”operating arrangement. Each guest operating system executes within an emulated surround and allows managed admission to both virtual and actual hardware. In theory, the environment provided by the VM is self-contained, isolated, and indistinguishable from a “real” auto.
VM engineering science has long been considered an effective approach for analyzing malware considering it provides an isolated environment or sandbox where the malware tin be triggered and monitored. However, today’due south advanced malware is more sophisticated and is quite capable of evaluating a VM environment and tailoring its actions to avoid detection.
Advanced Malware Easily Detects VM Environments
Conventional sandbox analysis inserts artifacts into the guest operating system, which allows avant-garde malware to determine if a system is running in a virtual surroundings. Here are some of the techniques used by malware to recognize VM environments:
- Examining registry keys for values that are unique to virtual systems. In VMware, there are over 300 references in the registry to “VMware”.
- Looking to see if VM tools are installed. In a VMware Windows Workstation, at that place are over 50 references in the file system to “VMware” or “vmx”.
- Checking for certain process and services that are specific to VM environments such as VMwareService.exe, VMwareTray.exe, etc.
- Identifying the BIOS series number or MAC address of the virtual network adapter to reveal the vendor. For example, MAC addresses beginning with 00-05-69, 00-0c-29, 00-1c-14 or 00-fifty-56 are associated with VMware.
- Analyzing specific structures within system Retentiveness, such as the Shop Interrupt Descriptor Tabular array (SIDT), Shop Local Descriptor Table (SLDT) and Shop Task Register (STR). These tables are located in different areas for VM environments compared with concrete machines.
- Examining specific hardware parameters that are unique to either VM or real physical environments. Avant-garde malware may query diverse attributes like serial numbers or other values belonging to the motherboard, processor, SCSI controller, etc.
It has go easier for malware to detect its target surround and accept evasive action because many of the toolkits designed to perform VM analysis are readily available to those who create malware. Non surprisingly, as malware becomes more sophisticated, enterprise systems become more vulnerable to destructive cyber attacks.
Avant-garde Malware Alters Its Beliefs When a VM is Detected
Once mod malware detects a virtual machine, it can alter its behavior to avoid detection by using some of the following tactics:
- The injection or modification of lawmaking inside other applications will be suspended until operating outside of the VM.
- Advancements to establish persistence and download additional code will be put on hold.
- Malicious code will remain encrypted or otherwise hidden.
- Attempts to motility laterally inside the network will exist suspended until the malware is operating outside of the sandbox or VM.
- Connections to the malware’s command and control servers (CNC) will be avoided.
By modifying its behavior, malware tin avoid detection by traditional or showtime-generation security solutions running in virtualized environments.
Unlike conventional sandboxing solutions, the side by side-generation Lastline products possess an entirely different architecture that does not produce artifacts, making it more difficult for malware to make up one’s mind its location. In fact, the Lastline solution is specifically designed to detect advanced malware, even when information technology uses sophisticated evasion techniques.
Click here to larn more than virtually the Lastline solution.
- Latest Posts