Re: Impressive analysis, but infection vector not apparent
How would virtualizing a out of date operating system with vulnerable ports protect it any better than installing it on bare metal?
The fail is how the airgapped network got compromised, however I once was involved with writing scanning software that went hunting for interconnects amongst other things on a global "secure" airgapped network, and we found significant numbers when digging through our results. Some people breached with wifi modems to make laptops easier, some as it transited less -ahem- lawful areas etc. Most of the problem was people being lazy and processes not being rigid enough nor penalties severe enough for doing stupid things which compromised the network's security.
Lock it down, secure it, get maintainence agreements including code fixes for the life time of the kit in the original contract when buying, take steps to establish a in house policy and responsibilities and delegation to keep it patched and integral but sticking it in a vm isn't going to help, especially as the next step would be to combine all of those windows machines into a single host, giving yet another vector for a sophsiticated attack to jump about sight unseen by any network probes..
The reason the malware looks for the vm environment is a large amount of security researchers spin the vulnerable machine up in a vm because theyre looking at x different device types a week, and to have each one as a physical box to be maintained for the audit record of testing would make life awkward. Its a lazy convienience thing, not a good practice one, you cant beat electrical seperation done properly.