Malware evades researchers’ VM environments by looking up their Word doc history


One of the techniques malware can use to evade researchers' virtual environments is accessing recent documents to determine if the infected machine has a history of legitimate usage.

Caleb Fenton, a senior security researcher at SentinelOne, described the technique in a company blog post Thursday that analyzed a malicious Word document that does not execute properly if it detects a VM environment.

“Most users, unless they just installed Word, are going to have opened more than two documents. However, on a testing virtual machine (VM), the software is normally not ‘broken in,'” Fenton explained. “If malware can be smart enough to know when it's being tested in a VM, it can avoid doing anything suspicious or malicious and thereby increase the time it takes to be detected by such tools.”

The same malware sample also looked for VMs by checking the machine's IP address to see if it is “associated with any hosting or anti-virus companies which are likely to be hosting testing VMs,” the blog post continued. If the machine appeared to be genuine, the malware would drop a low-level keylogger payload.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.