Shylock Malware Detects VMs to Evade Analysis
The sophisticated banking Trojan gains a new trick: The ability to detect virtual machines controlled using remote sessions, a common configuration for researchers.A sophisticated banking Trojan known as Shylock has gained a new trick: The ability to detect whether it's running in a virtual machine (VM) that is being analyzed by malware researchers. While malware, such as the infamous Conficker worm, has used a variety of anti-VM techniques to attempt to make analysis more difficult, Shylock may be the first to detect whether the VM is actively being controlled by a researcher through a remote connection, according to software security firm Trusteer. Virtual machines are commonly used by malware researchers and analysts to run programs in a simulated environment to more easily detect malicious behavior. "We see more institutions and corporations use network scanning tools to grab potentially dangerous files off a system, and then a malware analyst will use a remote desktop to access the machine where it is stored," said George Tubin, senior security strategist for Trusteer. "And so malware authors are looking for researchers who are accessing the virtual machines from a remote desktop." When Shylock detects that it is running in a virtual environment, the program will exit, according to Trusteer.
While Shylock and other malware attempt to prevent themselves from running in virtual machines, VMs have become such a common part of infrastructure that other malicious programs seek out such systems. The Crisis malware, for example, would find and infect virtual-machine images through functions normally used to patch the virtual systems. In addition, researchers have found techniques for stealing data from other virtual machines running on the same host.