Advantage of virtualization is a trojan, which will not work in environments DaaS and VDI

Desktop as a Service, that is, the positive aspects of virtual environments VDI (Virtual Desktop Infrastructure) used in the cloud or on-premises, on-the-spot in the Branch Office, it's not just scalability, increased control over the user Central security management, or restore working environments to the pre-infection State. Virtual environments, although they can be expensive to migrate from stationary devices, have a large advantage in the context of the sandbox'owania of the entire desktop. Virtualization brings to the security fence "unconscious" as, for example, mechanical preventing the execution of malicious code.

This a good example of matching its thread is a trojan banking Ursnif. Already in the year 2016 discovered by researchers of ProofPoint had unexpected techniques for detecting VirtualBox'a and more specialized software. Even then, it has been programmed in such a way as to detect:

The name of the file. In the analysis of the very common use of virtual environments and malicious software, whose name is written in the form of MD5 or SHA2. For example, the name of the file the virus "6a12508ca454d194e0d882ef4813aa7f" in hexadecimal decimal, contains the digits from 0 to 9 and the letters A to f. Trojan Ursnif bank check for the name of the file has other characters such as. "t", "R", "#". If so, the authors established that the file is run on the system. Otherwise, the malware was useless.

Installed software. Virtual systems run a number of features that can be used to detect the "test" System. When the system is running processes that include, for example: the string "vmware", "vbox" keys in the registry pointing to the virtual processor, graphics card, too little disk space; the software is installed eg. Process Explorer or Wireshark (everything that is useful in the analysis), the virus can not start.

IP address and files. Malicious software can check in whois information on your Internet provider or the number of recently opened files.

Vector of infection and detection of mouse movement

Noxious campaign containing still the same, but enhanced Trojan Ursnif starts with an e-mail message with an infected attachment. Malicious Word document containing the macro checks to see if the file name contains only characters from 0 to 9 and A to f. If Yes, exits.

Otherwise, the second part of the VBA code (programming language used to write macro commands) verifies that the running processes that include: "" fiddler "," vxstream "," vbox "," tcpview "," vmware "," process explorer "," vmtools "," autoit "," Wireshark "," visual basic "," process monitor ". If so, the virus terminates:

Analyzed by the researchers campaign hits the users of Australia, because the virus checks whether it is running in the appropriate geographical region:

Last test detects the network name. If this name is assigned to the military, the public and Government, the virus does not infect those computers: "hospital", "university", "school", "science", "army", "veterans", "government", "nuclear":

Virtualization in the age of cyber threats

Virtualization has many advantages. One of them is resistance to some, advanced threats that detect

  • process names (eg. TPAutoConnSvc. exe),
  • registry keys (for example,. HKLM\SYSTEM\ControlSet001\Services\VBoxGuest),
  • installed devices,
  • the drivers for your graphics card and USB,
  • the name of the computer
  • the BIOS provider ("SystemBiosVersion"; " VMware "),
  • the capacity of the virtual disk,
  • These mouse movements,
  • the software used for the analysis,
  • the MAC address of the network adapter (the first 3 octets are key),
  • assembler instructions (eg. IDT SMSW, CPUID),
  • loaded DLL (for example, sbiedll. dll, i.e. software Sandboxie)
  • number of files in user folders,
  • screen resolution.

Ironically, in company with virtual desktops, unknowingly makes the authors of malicious code run and at the same time makes the task of security manufacturers. Protect virtual environments is not easy. Featured above is not the case is no stand-out. However, the percentage of malicious code with the techniques of "anti-vm" in relation to malicious code, that such techniques do not have, is not widely known. Despite this, the supplier of software and hardware solutions can count on a reduced fare. Have to take care of central management, integration with hiperwizorem, the scalability of the product after the VDI environment or DaaS, and think about performance and protection that must meet all these assumptions, which on regular workstations at the same time having regard to the specific environment.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.