2006-11-25

Malware trend worth watching

Malware that can detect VM or sandboxed environments and react appropriately is not a new concept. However, seeing it in the wild with any sort of frequency is big news. In a little-reported SANS ISC update, Lenny Zeltser comments "3 out of 12 malware specimens recently captured in our honeypot refused to run in VMware."

This is a trend analysts knew was going to come around eventually. While the tactic's employment by authors is still in its infancy, this represents a major development: every malware analyst uses VMWare at some point in their analysis. It appears the "bad guys" figured out how to get another leg up in the constant arms race we engage in. This will be yet another aspect of the back-and-forth between authors and analysts that has been ongoing for years. Someone will find a way to beat the VMWare detection, then better detection will be developed, and so-on. However, this is one of the biggest leaps in anti-analysis from the black-hats since the emergence of executable packing. Better keep an eye on this one, folks.

1 comment:

Anonymous said...

Thanks for the heads up on this one Micheal.I agree it will be interesting to see where this will lead.