Running Virtual Analysis on Malware is Failing These Days
As organizations take part in the virtualization of malware testing, it is beginning to fail.The biggest issues in testing malware on virtual machines and other environments, is that viruses and other malware are equipped with a component that recognizes the presence of a virtual environment. They are coded to see what environment they are running in, to help mitigate being tested by analysts and researchers.
There are also ways for businesses to run virtual environments to test how a threat entered their networks, what vulnerabilities exist, etc.
Hackers and malicious code writers have many ways of evading antivirus products:
- Encrypting the malware files (polymorphism) – example: the file download link stays the same on the website, but the server sends newly encrypted files each download instance.
- Testing tons of files’ malware detection using a load of antivirus engines to find out which are undetected least or not at all.
- Packing and encrypting the malware files so they have to be unpacked by the antivirus software before it can be checked.
And many more…
Anyway, what is the learning experience here? Well for one, it is a good idea to have proper protection for your entire server network in the business (see bottom of this post). Also, if a virtual environment will not successfully test the malware, you probably should test it on a live test box (a computer specified for testing that is not connected to the business network).