As cyber criminals create new pieces of malware, security researchers and white-hat hackers are fighting back by analyzing this malicious software, usually by running virtual machines. This is done so the real system of the researchers will not be infected, and the malware can easily be terminated just by turning off the virtual machine.
However, it was recently discovered that malware writers are finding a way around this, by looking for the absence of documents to find out which systems are potential victims, and which ones are just being used for experimenting and analysis.
“There has been a long history of malware attempting to detect that it is running under observation and “going dark” to hide its presence and hence avoid revealing how it operates. Many anti-malware products rely on being able to observe the execution of malware and hence identify malicious files vs safe ones, so an arms race has developed between malware authors and security companies. Some malware tries to look for identifying features of various sandbox and virtual machine implementations, others have tried to detect debuggers or other tools used by security researchers. Even more common is for malware to try to avoid automated malware detection devices by trying to check whether there is actually a user present, by observing mouse movements and clicks.
This newly identified approach is a simple next step in the ongoing arms race, with malware simply observing the environment it is executing in to determine whether it looks too pristine to be a real end user system. Security researchers will respond by trying to make their observation environments look more like real systems by copying in fake documents and other files. This might fix things for a little while, though it’s a fight where malware authors have huge advantages over the security community — thy can create new evasion techniques extremely cheaply.
Certainly any truly sophisticated nation-state class malware will be evading detection routinely, and no one will be any the wiser. The only way to defeat such threats is to take a different approach, one that doesn’t rely on detection. Isolation through CPU virtualization is such an approach, which is why recent announcements such as Microsoft’s Windows Defender Application Guard are particularly important, coupled with other micro-virtualization approaches.”