Malware needs to know if it's in the Matrix

Once a security researcher discovers a new strain of malicious software -- running a virtual machine on a test-bench -- and adds its signature to anti-virus and network monitor blacklists, it's game over. So today's malware devotes enormous energy to figuring out if it's running on a real computer, or inside one of its enemies' virtual worlds.

A presentation from UCSM's professor Giovanni Vigna (who runs the Center for CyberSecurity and Seclab), he's seeing more and more malware that keeps its head down on new infection sites, cautiously probing the operating system to try and determine if it's running on a real computer or if it's a head in a jar, deploying all kinds of tricks to get there.

Ben Rosenbaum and I wrote a Hugo-nominated novella called True Names in which duelling AI superintelligences try to run versions of each other inside virtual environments as part of their overall strategy and tactics.

Every system call is a gamble for the malware. Though the compiled binary is far harder to analyse, even when running, than its source code would be, it will still need a good excuse to begin looking up the list of its host system’s running processes – in reality seeking out the presence of known analysis tools that might be watching it. Prof. Vigna’s own Anubis malware analysis software is on the malware-writer’s ‘hit list’.

Vigna has also found malware source code that specifically seeks out the user ‘Andy’ in a new environment, as this reflects the name of one of his team in earlier VM battles with malware authors.

Some of this paranoia is contextual – looking up system processes would likely be a red flag in a freeware text editor but merely a routine and expected environment check for a defragger, which would be looking for system elements that may prevent routine system housecleaning.

The malware of the future may come bearing real gifts [Martin Anderson/The Stack]

(via /.)

Notable Replies

  1. I think the difference is that the original article talks about viruses, which typically infect Windows PC's, and your link talks about malware, which typically infects web servers and similar machines. Servers often run inside VM's like Amazon AWS, so refusing to run in a VM would be self-defeating.

    I'm sure Microsoft has a skunk-works project that uses light VM's similar to LXC (docker) or BSD jails to install software. Hopefully we'll see that in Windows 11...

  2. I think you're right that it makes more sense to detect a VM for you typical home PC affecting piece of software but I don't think that the word "malware" means malicious software affecting Linux servers and the word "virus" means malicious software affecting Windows PCs. I think the words are pretty much interchangeable.

  3. useradd Andy
    yum install Anubis
    yum remove anti-virus

    My work here is done. Let the virus do it's own anti-virus work without having to worry about checking everything every other process tries to do, because the virus is already doing it's own checking.
    I look forward to a future where someone says "guys, these viruses aren't checking for virtualisation any more, they're just running anyway". Like the time a few years back when boot sector viruses became big news again and I thought "didn't we already do this in the 90s?"

  4. Once upon a time, a computer "virus" was something that attached itself to a binary executable and was loaded into memory when the program was run, infecting later programs that were run. A "worm" was a program that spread over the Net due to insecure network-accessible computers. These days computer viruses in the strict sense are all but obsolete and modern viruses are really worms. Malware is a general term for malicious software that includes worms, viruses, and other software such as keyloggers.

  5. The early user gets the worm.

Continue the discussion

11 more replies