Does malware still detect virtual machines?

By: Candid Wueest, Software Engineer at Symantec

Virtual machines (VM) have been used for many years and are popular among researchers because malware can be executed and analyzed on them without having to reinstall production systems every time. These tests can be done manually or on automated systems, with each method providing different benefits or drawbacks. Every artifact is recorded and a conclusion is made to block or allow the application. For similar reasons, sandbox technology and virtualization technology have become a common component in many network security solutions. The aim is to find previously unknown malware by executing the samples and analyzing their behavior. 

However, there is an even bigger realm of virtual systems out there. Many customers have moved to virtual machines in their production environment and a lot of servers are running VM, performing their daily duty with real customer data. This leads to a common question when talking to customers: “Does malware detect that it is running on a virtual system and quit?”

It is true that some malware writers try to detect if their creation is running on a VM by using tricks such as:

  • Checking certain registry keys that are unique to virtual systems 
  • Check if helper tools like VMware tools are installed
  • Execute special assembler code and compare the results
  • And more.

In some rare cases we have encountered malware that does not quit when executed on a VM, but instead sends false data. These “red herrings” might ping command-and-control servers that never existed or check for random registry keys. These tactics are meant to confuse the researcher or have the automation process declare the malware a benign application.

Malware authors want to compromise as many systems as possible, so if malware does not run on a VM, it limits the number of computers it could compromise. So, it should not come as a surprise that most samples today will run normally on a virtual machine and that the features can be added if the cybercriminal wishes to do so.

In order to answer the initial question with some real data, we selected 200,000 customer submissions since 2012 and ran them each on a real system and on a VMware system and compared the results. For the last two years, the percentage of malware that detects VMware hovered around 18 percent. On average, one in five malware samples will detect virtual machines and abort execution. 

This means that malware still detects if it is running on a VM, but only in some minor cases. Symantec recommends that virtualized systems should be properly protected in order to keep them safe from threats. Symantec engineers are always on the lookout for new techniques that malware authors may employ to bypass automated analysis. With the combination of various proactive detection methods, like reputation based detection, we can ensure maximum security for our customers.

Want to hear more from Symantec?