Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the crayon-syntax-highlighter domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home1/ktech37/public_html/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the otw_dcsw domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home1/ktech37/public_html/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the easy-accordion-free domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home1/ktech37/public_html/wp-includes/functions.php on line 6114
Malware can detect virtual machines and go dark » KryptosTechnology

Malware can detect virtual machines and go dark

virtual-machines-header-2

One of the more effective ways to counter a malware infection is to make sure that it infects something that can’t have much of an influence on the rest of the system, like a sandboxed virtual machine. However as malware continues to evolve, its creators are now discovering ways to detect whether it is simply wasting its time infecting virtual machines, so it can go after more legitimate targets.




Discovered by Caleb Fenton with security firm SentinelOne (via ThreatPost), this new form of malware is able to sniff out that it currently resides on a virtual machine. Purportedly it does this by analyzing the number of documents on the machine. Low numbers would suggest some form of testing environment, which could tip it off that it’s sandboxed.




After making such a discovery, the malware becomes dormant, deliberately hiding itself as best as possible to avoid any detection techniques by potential security staff or automated tools. Although that particular piece of malware may become redundant to the creator at that point, avoiding detection is incredibly important in such a situation.

Since security researchers can use virtual machines to learn a lot about a piece of malware without risking any spread of infection, keeping the nefarious software under wraps allows its clones to proliferate in the wild for a little while longer.

In one specific example that Fenton discovered, the malware would search a machine for Microsoft Word documents using the Recent Documents Windows function. If it discovered two or more, it would initiate and download its malware payload. If those files were not found, it shuts down and obfuscates its location to try and avoid detection.

To try and avoid smart security researchers who may have added a number of Word documents to the system to avoid tripping that check, the anti-sandbox malware also detects the IP of the system and cross references it with a known blacklist of security firm addresses. Again, if it finds itself in the belly of the IT security beast, it will halt all actions and try to hide.




Although not exactly unique, these techniques are rather new and represent the next evolution in the ongoing war between white and black hats the world over. Extending the life of malware can go a long way to improving its viability as an attack vector, often more so than simply making the malware harder to stop.

Also Read:  USB Kill to Destroy Any Computer Within Seconds