One of the techniques malware can use to evade researchers' virtual environments is accessing recent documents to determine if the infected machine has a history of legitimate usage.
Caleb Fenton, a senior security researcher at SentinelOne, described the technique in a company blog post Thursday that analyzed a malicious Word document that does not execute properly if it detects a VM environment.
“Most users, unless they just installed Word, are going to have opened more than two documents. However, on a testing virtual machine (VM), the software is normally not ‘broken in,'” Fenton explained. “If malware can be smart enough to know when it's being tested in a VM, it can avoid doing anything suspicious or malicious and thereby increase the time it takes to be detected by such tools.”
The same malware sample also looked for VMs by checking the machine's IP address to see if it is “associated with any hosting or anti-virus companies which are likely to be hosting testing VMs,” the blog post continued. If the machine appeared to be genuine, the malware would drop a low-level keylogger payload.
