Malware needs to know if it's in the Matrix


#1

[Permalink]


#2

Kind of contradicts this: http://www.pcworld.com/article/2464580/malware-is-less-concerned-about-virtual-machines.html


#3

I think the difference is that the original article talks about viruses, which typically infect Windows PC’s, and your link talks about malware, which typically infects web servers and similar machines. Servers often run inside VM’s like Amazon AWS, so refusing to run in a VM would be self-defeating.

I’m sure Microsoft has a skunk-works project that uses light VM’s similar to LXC (docker) or BSD jails to install software. Hopefully we’ll see that in Windows 11…


#4

I think you’re right that it makes more sense to detect a VM for you typical home PC affecting piece of software but I don’t think that the word “malware” means malicious software affecting Linux servers and the word “virus” means malicious software affecting Windows PCs. I think the words are pretty much interchangeable.


#5

useradd Andy
yum install Anubis
yum remove anti-virus

My work here is done. Let the virus do it’s own anti-virus work without having to worry about checking everything every other process tries to do, because the virus is already doing it’s own checking.
I look forward to a future where someone says “guys, these viruses aren’t checking for virtualisation any more, they’re just running anyway”. Like the time a few years back when boot sector viruses became big news again and I thought “didn’t we already do this in the 90s?”


#6

[looks at one of my library files at work]

IsRunningHyperV();
IsRunningOnVM();
IsRunningOnVMType();
IsRunningVBox();
IsRunningVMWare();
IsRunningVMWare();
IsRunningVPC();
IsRunningWine();
IsRunningWine();

[wonders if the pay and interest level is better as a malware author]


#7

But it’s a race. You can implement crude tricks to defeat their analysis, but if those tricks become widespread, their analysis will adapt.

Inevitably their analysis will become progressively more complex, using signature-matching and heuristics. Sound familiar? Virus and anti-virus: adversarial quasi-AIs whose goal is figuring out what’s actually real while deceiving the other.


#8

Once upon a time, a computer “virus” was something that attached itself to a binary executable and was loaded into memory when the program was run, infecting later programs that were run. A “worm” was a program that spread over the Net due to insecure network-accessible computers. These days computer viruses in the strict sense are all but obsolete and modern viruses are really worms. Malware is a general term for malicious software that includes worms, viruses, and other software such as keyloggers.


#9

The early user gets the worm.


#10

“Why do my subroutines hurt?”


#11

So basically we need to do all of our internet and network connections on virtual machines so that advance malware will decide not to affect us, having detected that we are running it on a virtual machine and therefore thinking we have set a trap?


#12

Would work for a short while, until the malware adjusts.


#13

Or they might just skip that and go straight to12.


#14

The second mouse gets the cheese.


#15


#16

So if I don’t want to get infected (or at least actively exploited), then I should make my machine look as much like a malware honeypot as possible? That seems doable…


#17

This topic was automatically closed after 5 days. New replies are no longer allowed.