If malware does not run in a VM why not make everything a VM?

One has to take into account why the malware is doing this distinction in the first place.

Some malware does not run in the VM because the chance is high that this VM is used for inspecting the malware (i.e. some security researcher) since most normal users don't use a VM. But if everybody is using a VM then the chance is low that the VM is used for inspecting. This means there is no real reason anymore to use this kind of simple heuristic to distinguish between a potential security researcher and a victim. Therefore this heuristic will be considered useless and a different one will be used in the future. Which means that future malware will also run inside a VM.

Note that there are also other heuristics, like checking if specific tools often used by researchers are installed on the system. Now, why not just let everybody install such tools in order to disable malware? Same reason: the heuristic will be no longer used by the malware authors since it no longer works reliably enough.


In fact, something similar is being practiced. First of all, note the following:

  • Not all malware check for VMs, and there are other common criteria for not running such as research or monitoring tools.

  • You don't need to run in a VM. You just need to make the malware think as if you do.

One company which uses this technique is Minerva. They call it Hostile Environment Simulation:

Attackers invest tremendous efforts to develop and test malicious programs that evade your existing defenses and will only launch in an environment it considers safe. Evasive malware checks for a variety of security tools e.g. sandbox, debugger, antivirus and others, and only then decides whether or not to attack.

Minerva Labs' Hostile Environment Simulation mimics the presence of security products that evasive malware is designed to bypass. When advanced malware encounters artifacts belonging to the following categories, it shuts itself down instead of exhibiting its true nature:

  • Anti-Virus and other security solutions used for malware detection.
  • Virtual machines and emulators, used for manual and automatic malware analysis.
  • Sandbox products, used to learn the behavior of suspicious programs by detonating them in a controlled environment.
  • Forensics toolkits, used by analysts to dissect malware samples as part of forensics investigations.

Because malware runs in a VM.

It can not infect the host machine or other VMs.

Putting everything in VMs is still a viable way to improve security, and it is being done.

Tags:

Detection

Virtualization

Sandbox

Malware

Related

Does phishing include ransomware? How can you bind a public key to a certificate if the public key depends on the choice of algorithms? How does having a custom root certificate installed from school or work cause one to be monitored? Could receiving a URL link, not clicking on it, ever pose a security problem? Trojan "Win32/Tnega!MSR" found by Windows Defender - aliases used by other antiviruses? How do hackers trick frontend validation? Qualys SSL Scan weak cipher suites which are secure according to ciphersuite.info How does one take advantage of unencrypted traffic? Why do password requirements exist while limiting the upper character count? Is there any hope of getting my pictures back after an iPhone factory reset some day in the future? Security implications of granting non-root access to privileged ports (<1024) Alternatives for sending plaintext password while login

Recent Posts