Post Thu Nov 30, 2006 5:28 pm

Hackers Adding VM Detection to Trojans

Hackers are incorporating virtual machine detection into their Trojans, worms and other malware in order to thwart antivirus vendors and virus  researchers, according to a note published this week by the SANS Institute Internet Storm Center.

Researchers often use virtual machines to detect hacker  activities.

Virtual machines -- software that mimics a computer's hardware -- are useful for virus-testing, explained Roger Thompson, CTO of Exploit Prevention Labs. "You can run a virus to see what it does and then delete it when you are finished," he told TechNewsWorld.

An increasing number of hackers build code that can detect when their virus is being run on a virtual machine. "This isn't a terribly new twist, but I have been seeing an increase over the last six weeks," Thompson added.

"Hackers know there is no real reason why an average computer user would use a virtual machine, as they are about one-third slower," he explained.

Recently, Thompson tried to download a movie from a suspicious Web site and his rootkit detections did not indicate there was a problem on the virtual machine; however, when he tried to download the movie to a real computer, he said, "they went off like Roman candles."

Countersurveillance and Spy Craft
The trend is bound to continue, as hackers tend to adopt proven strategies. In response, AV vendors and researchers have stepped up their hacker surveillance activities.

Some malware will look for virtual machine specific memory regions, check for well known VMware device drivers, or look for popular debuggers in the list of names of open windows, Jose Nazario, software and security engineer for Arbor Networks, told TechNewsWorld. "If any of these conditions are true, the malware will assume it's being watched too closely and will abort," he said.

Sometimes malware authors will include exploits that attempt to attack a researcher's computer via a well-known hole, and either crash the application and attempt to ruin the researcher's work, or execute other commands, he noted.

At other times, the malware will alter course and execute new instructions instead of its normal instructions.

"The latter is possibly the most dangerous for a malware analyst, as they may assume they have seen all that a piece of malware can do and close their report," Nazario added.

For full story: