Malware Tries to Detect Test Environment
A new malware tries to detect if it’s running in a virtual machine or sandboxed test environment by looking for signs of normal use and not executing if they’re not there.
From a news article:
A typical test environment consists of a fresh Windows computer image loaded into a VM environment. The OS image usually lacks documents and other telltale signs of real world use, Fenton said. The malware sample that Fenton found…looks for existing documents on targeted PCs.
If no Microsoft Word documents are found, the VBA macro code execution terminates, shielding the malware from automated analysis and detection. Alternately, if more than two Word documents are found on the targeted system, the macro will download and install the malware payload.
EDITED TO ADD (10/16): Some details.
Clive Robinson • September 28, 2016 7:04 AM
When all is said and done, the way it detects is not new. It’s been discussed before with Honey-Nets and the like.
And as with Honey-Nets it’s the investigators lazyness in implementing an environment that is what gives the game away.
This is not the first time that such “check befor you fly” techniques have been used.
If you think back, you should remember that after Stuxnet, escaped and thus became known and subsiquently got publicaly dissected some malware started taking precautions. In atleast one case by using payload encryption to protect it’s contents. Effectively the payload encryption was “keyed” by information on the target computer (that went into a very CPU time expensive algorithm).
In some ways this is like the Electronic Warfare ECM / ECCM … EC…CM escalation, with the advantage being with the Malware not the investigators.
There are a number of downsides for the Malware, one is that the detection methods quite rapidly get to be of significant size, and this alone may well trigger Intrusion Detection Systems. Other problems are that even though encrypted the detection code or payload will have a recognisable network signiture or a polymorphic system that can be recognised. But the one that will stand out or should do if the malware author is being cautious is the CPU load on a target system.