As organizations take part in the virtualization of malware testing, it is beginning to fail.The biggest issues in testing malware on virtual machines and other environments, is that viruses and other malware are equipped with a component that recognizes the presence of a virtual environment. They are coded to see what environment they are running in, to help mitigate being tested by analysts and researchers.
There are also ways for businesses to run virtual environments to test how a threat entered their networks, what vulnerabilities exist, etc.
Hackers and malicious code writers have many ways of evading antivirus products:
- Encrypting the malware files (polymorphism) – example: the file download link stays the same on the website, but the server sends newly encrypted files each download instance.
- Testing tons of files’ malware detection using a load of antivirus engines to find out which are undetected least or not at all.
- Packing and encrypting the malware files so they have to be unpacked by the antivirus software before it can be checked.
And many more…
Anyway, what is the learning experience here? Well for one, it is a good idea to have proper protection for your entire server network in the business (see bottom of this post). Also, if a virtual environment will not successfully test the malware, you probably should test it on a live test box (a computer specified for testing that is not connected to the business network).
Last week, US-CERT found flaw in VMware: SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware
To patch the vulnerabilities, VMware released the updates for several versions:
- VMware Workstation 8.0.4 and later
- Player 4.0.4 and later
- Fusion 4.x (but not the Mac version)
- All versions of ESXi and ESX
The main flaws were:
- Input data not validated correctly with Checkpoint files. Which means a specifically crafted Checkpoint file can exploit the virtualization environment.
- Traffic from remote virtual devices not being intercepted correctly. An attacker can manipulate the traffic, and crash the VM.
It is recommended to immediately patch your environment: updates
- Ring3 Attackers: 64-bit Privilege Escalation Vulnerability on Intel CPU Hardware (secureconnexion.wordpress.com)
Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.
A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker’s chosen RSP causing a privilege escalation.
Find out more about this story at US-CERT: www.kb.cert.org/vuls/id/649219
You may want to consider purchasing Malwarebytes’ Anti-Malware to protect against these types of threats.