Storm Worm Employs VM Detection
The ISC has an interesting report on some of the techniques employed by the Storm worm to detect the presence of virtual machines (VMs) and adjust behaviour accordingly. S?nnet Beskerming has previously covered the discussion of techniques that malware can use to avoid detection (or attack the VM) when a virtual machine is present.
As covered in the ISC article, Storm employs two techniques designed to detect VMWare and VirtualPC specifically, both of which have previously been openly reported.
In the case of VMWare, Storm sends data to a 'backdoor' I/O port, looking for a 'magic number' response that identifies the presence of a VMWare session. While this is not the only method to identify the presence of VMWare, it is a quick and straight forward method.
With VirtualPC the approach is similar, with Storm attempting to set an instruction that will throw a certain result when running on a normal system, but which VirtualPC conveniently ignores. If there is no response, then Storm knows that it is running in a VirtualPC session.
As the ISC article identifies (and covered in our previous articles) malware authors are keeping an eye on what is available in terms of detecting and avoiding VM environments. For end users this is a problem that is only going to increase in the future as these capabilities make it into more malware types.
27 July 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.