1

Even though they appears to have anti-VM capabilities? I've downloaded some latest samples of ransomware executables from cerber, locky, and other family of ransomware

Why do they still execute in the virtualbox environment? It is a fresh new virtualbox with no hardening to evade malware analysis. Given the latest versions, aren't they supposed to not run in the environment because virtualbox itself being a VM, should be evaded by them at the first place?

Please advise, thanks!

Pwn Fire
  • 11
  • 1
  • This is a rather broad question. Can you clarify what you are looking for? Reasons can be numerous why malware appears to run in a VM despite having anti-VM capabilities. Not all malware does have anti-VM capabilities, or implements anti-VM functionality correctly. – h4ckNinja Nov 20 '17 at 03:41
  • 1
    I consider this question as too broad. The OP claims that this unspecific ransomware has anti-VM capabilities and wonders why it runs inside a VM. This assumes first that the OP is right about the ransomware having anti-VM features (no proof given) and also that the unknown anti-VM features of the unknown ransomware are designed to detect any VM and not just typical VM setups used in malware research or sandboxes (no proof given, no details known). – Steffen Ullrich Nov 20 '17 at 05:35

1 Answers1

3

These days with prevalence of virtualization in organizations, a good deal of production systems are setup as virtual machines so it is not a good strategy anymore to skip virtual machines and not infect them.

For example this old report from Symantec shows that the malware is infecting virtual machines (Symantec Report).

Malware authors try to incorporate other mechanisms to bypass automated analysis and detection and these days being run on a virtual machine on its own is not a pointer of a sandbox or analysis environment being present. For example by sleeping for long periods of time before starting the operation or waiting for user interaction you can evade sandbox (or Detonation Boxes) in some intrusion detection systems, and of course this is a cat and mouse game where we try to design sandboxes and analysis environments that can't be detected by malware and malware authors try to come up with new methods to detect these systems and prevent detection. (Detecting Malware and Sandbox Evasion Techniques by Sans)

Silverfox
  • 3,369
  • 2
  • 19
  • 39
  • Hi Silverfox, yes i understand where you are coming from. But as per many blog post has posted about ransomware, they do have anti-VM/sandbox technologies to prevent itself from running onto the virtualized environment. I just simply cannot understand how are the ransomware able to do that in my environment despite they having anti-vm/sandbox technologies (the latest version of the ransomwares). – Pwn Fire Nov 20 '17 at 04:09