Virtual machines no longer keeping malware at bay

It used to be that running and working on a virtual machine could almost guarantee you complete avoidance of malware infections, but that time has passed, says Symantec researcher Candid Wueest.

The change happened because many companies have switched to using virtual machines, and ignoring this ever-increasing swathe of potential targets is simply not good business for malware authors.

Given security researchers’ predilection for malware analysis on virtual machines – they don’t have to reinstall production systems every time – the challenge for malware authors has been to find ways not to trigger VMs defenses.

Malware can gauge whether it is run in a VM in a number of ways: it can check for VMware tools, specific processes, communication ports, unique registry keys, behaviors, the location of system structures and more.

“Malware has one huge advantage when executed on an automated VM analysis system,” Wueest points out. “The analysis system needs to make a decision in a reasonable timeframe and if the sample does not behave in a malicious manner within the first five minutes, such as skipping waiting loops, the system will most likely deem it harmless.”

Similar to this, some malware waits for certain things to happen before starting to act: for example, for the user to click with the mouse a certain number of times, or the computer to be rebooted for a few times.

“In some rare cases we have encountered malware that does not quit when executed on a virtual machine, but instead sends false data. These ‘red herrings’ might ping command-and-control servers that never existed or check for random registry keys,” the researcher shared. “These tactics are meant to confuse the researcher or have the automation process declare the malware a benign application.”

Wueest and his colleagues have tested some 200,000 pieces of malware submitted by Symantec customers since 2012, and discovered that, on average, one in five malware samples will detect virtual machines and abort execution.

These results should be enough to make users worry about malware breaking out of the virtual environment and compromise host servers and spread even further. If happened before – the 2009 Cloudburst Attack and the Crisis malware are good examples.

“Virtual environments need security solutions that go beyond traditional protections in order to cover the different requirements of its dynamic and application-centric approach. This holds true for standalone virtualized servers as well as for modern SDDCs. Of course, different setups and architectures might require different implementation approaches,” Symantec pointed, and shared some best practice guidelines for securing VMs.