Virtual Machines Can Prevent Malware Execution

Hackers are applying 'virtual machine detection' to the worms and trojans they drop on computers to thwart analysis by anti-virus labs, said 'SANS Institute's Internet Storm Center' (ISC).

The 'virtual machine detection' foils research that uses 'virtualization software' popularly created by 'VMware'. The software quickly and cautiously tests the impact of malware. Researchers often execute malware in a virtual machine to keep the system safe from infection. 'Virtualization software' also helps analysts to test malicious code against several operating systems on a single PC.

Another sunny side of 'virtual machine detection' is its 'self-defensive' feature against many malware items. It tries to make hard for a malicious program to examine the environment because malware analysts commonly use 'virtualization software' such as 'VMware'. When SANS recently captured 3 out of 12 malware specimens in its 'honeypot', they would not run 'VMware'.

According to Lenny Zeltser, an analyst at 'SANS Institute's ISC', malware authors use a myriad techniques to spot virtualization, including sniffing and culling the VMware-specific processes and hardware features present. He added that the more reliable techniques depend on 'assembly-level code' that acts differently on a 'virtual machine' than on a 'physical host'.

VMware detecting systems are sometimes developed directly into the malware, while at other times, 'third-party packing utility' includes them into the program. Researchers at SANS Institute's ISC once tested a malicious program that was bundled with a 'commercial packer' called "Themida". The 'Themida packer' contains support for 'virtual machine detection'.
A packer is a utility function that changes the original program to hide its strings, disable debuggers, detect VMware and so on. Programmers often use and depend on packers to protect genuine programs from 'reverse operation'.

In the opinion of Zeltser, researchers can defeat malicious codes by patching them so that the 'virtual machine routine(s)' never operate. Alternatively, they can make the virtual machine to make it harder for a malware to realize that it's running in a virtual environment.

There are suggestions to develop techniques to configure non-virtualized systems to appear like virtual machines fooling malware into thinking that it's in an analyst's environment and so would refuse to execute.

Related article: Virtual Cyber Attack finds Flaws in Cyber Security

» SPAMfighter News - 24-11-2006

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next