In the past, malicious programs would beat a hasty retreat when a virtual machine was detected, this was in order to avoid having to go through a security check. Unfortunately that seems to be all in the past, according to Symantec’s research.
Since virtual machines are beginning to become more widespread in enterprise environments, hackers have also begun stepping up their efforts in order to keep their malware from being detected.
In order to test exactly how much malware was affected when a VM was detected, Symantec studied 200,000 malware samples that were submitted in a two year period. They ran the tests on both virtual and non-virtual machines, and a meager 18 percent of the malware programs stopped executing when a VM was detected.
“Malware authors want to compromise as many systems as possible, so if malware does not run on a VM, it limits the number of computers it could compromise,” wrote Candid Wueest, a threat researcher for symantec, in a blog post Tuesday.”So, it should not come as a surprise that most samples today will run normally on a virtual machine.”
In order to avoid detection by virtual machines, one tactic used by malware is to wait and normally if a the file doesn’t act suspicious in the first five or ten minutes, it will be seen as harmless.
“This can make it difficult or impossible for an automated system to come to an accurate conclusion about the malware in a short time frame,” according to Symantec’s report
Security researchers are actually grateful for the change, since the large majority of malware will still run and not quit as soon as they see a VM. This at least increases the chance of detection in other ways.
For those of you with concerns regarding their VMs, Symantec is recommending stronger hosting servers, keep your VMs up-to-date and of course making sure to always use strong and up-to-date antivirus software.