back to article Researcher details how malware gives AV the slip

Researcher James Wyke has discovered throw-off tactics used by malware to frustrate investigators. These tactics were part of a suite of impressive methods VXers used to find technical artifacts that could help them distinguish between computers belonging to victims and those used by malware researchers. While malware writers …

  1. Norm DePlume

    The solution

    So all I need to do is make my computer look like a virus researcher's machine and viruses will turn benign?

    1. Captain Scarlet

      Re: The solution

      Yes unless they have a horrid payload to try and spite researchers in which it might be a bad thing

  2. Primus Secundus Tertius

    Virtual question

    How do you detect that you are running on a virtual machine?

    Is it, for example, some difference in the networking when closely examined?

    1. A Non e-mouse Silver badge

      Re: Virtual question

      With VMware, it's not hard to detect: Just look at the BIOS vendor string. It mentions VMWare quite prominently. You can also look for VMware only drivers (e.g. VXNet). Another option, is to try the I/O interface that VMware tools uses to communicate with the VMWare hypervisor.

      I suspect you can use similar tricks with other hypervisors.

      1. Captain Scarlet

        Re: Virtual question

        They seem to mention being able to try and hide from certain researchers, so they might also lookup the company name its registered to or for certain registration strings as well as looking for the obvious signs of a virtual machine.

  3. Anonymous Coward
    Anonymous Coward

    solution for researcher:

    use a real machine, in a um , sand box , or a dmz or whatever .

    name it "cheif exec" on a domain called "top brass office" and the malware positively sing!

  4. Al_21

    Isn't this already known?

    Malware writers have been trying to avoid being detected for years - staying dormant till certain triggers are met (wait period, time/date, user activity), checking for other applications researchers use (IDA, Hiew, Wireshark, VM etc), hiding behavior from static analysis, heuristics and emulators etc?

    1. JCitizen

      Re: Isn't this already known?

      Yes you are correct! Advanced Persistent Threats(APT) are already a reality in the web world. Only a very blended defense can possibly hope to indicate the level of infection. Now, I will temper that with a nation state actors warning, that will defeat any defense you have - but the behaviors of your system will belie this threat! If you suspect this - I recommend you trash this computer and get another one, the infection level is so pervasive that nothing - not hardware or software is forever trustworthy from then on!!!

      Even your ISP could be compromised by then! Don't admit to the depth of your suspicions to the service provider - just explain the symptoms and complain in an ordinary way. Do NOT admit that your paranoia includes such a calamitous attack. Just concentrate on their vulnerabilities and berate them for it - and try to threaten them with state action to their service reliability and reputation. It is all you can do - with the level the enemy has at his disposal. I have friends with Intellectual Property rights that could affect the national security of nations, that have been totally pwned with a combination of Apple products and Android devices; so don't assume this will be a protection. Never assume anything - my TELCO is under attack for service reliability for just discussing the problem I am having with my clients. The FBI and all other federal agencies are not even as good as keystone cops - so just forget any help from your government sources. I include UK sources as well.

  5. JCitizen

    Re: Isn't this already known?

    deleted by author for repetition.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like