Cyber security researchers have discovered a new strain of malware that uses a novel technique to evade detection. The malware is able to detect when it is being accessed in a security testing environment and automatically suspends any planned attack.
The malware is document based. Once present on a computer, it analyzes how many other documents are present on that same computer. If a certain number are not present, the malware simply lies dormant.
Security testers typically used virtualized machines and testing environments to examine suspected malware. These environments replicate actual computing environments but are not as complete or detailed. Similar to a set in movie, they are similar but not exact copies. The developer of the malware realized that a sparse number of documents is a reliable indicator of a security testing environment and used that fact to avoid detection.
If malware does not do anything suspicious or malicious, it is unlikely that it will be identified or removed. That empowers it to lie in waiting until it can inflict the maximum amount of damage.
Once the malware has been downloaded, it checks the machine’s recent files folder. If the folder has less than two files listed, it is determined to be a virtualized machine. However, if more than two files are present the malware proceeds to download a keylogger.
The malware is also able to read a machine’s IP address and cross reference it against a list of IP addresses know to be used by security research firms. If the malware believes that it is being examined by a cyber security professional, it does not download the keylogger.
This form of evasion is not entirely new. Researchers have discovered other strains of malware that look for tell-tale signs of virtualized machines and the fingerprints of security researchers. This most recent stain is different, however, by relying on indicators that are uniquely simplistic. It also stands apart by being a relatively basic form of malware that incorporates sophisticated evasion strategies.
Experts caution that these types of strategies are likely to become increasingly common. And the longer a strain of malware is allowed to go undetected, the more damage it can do. It will be incumbent on security vendors and researchers to develop less conspicuous testing environments and more nuanced techniques for identifying malware. This is yet another frustrating example of cyber criminals outsmarting the people tasked with stopping them.