Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Malware Upping Its Game Against Virtual Environments: Report

Virtual Machine Host Servers Should be Hardened and Protected to Defend Against Increasinlgy Complex Malware Threats

Virtual Machine Host Servers Should be Hardened and Protected to Defend Against Increasinlgy Complex Malware Threats

While some pieces of malware are designed to stop running when they detect the presence of virtual machines in an effort to avoid being detected, researchers from Symantec have determined that a large number of threats continue to run even in virtual environments.

Malware can use several techniques to detect if it’s running in a virtual environment. For instance, it can check MAC addresses, registry keys, the presence of tools like VMware, processes and service names, communication ports and behavior, and the location of system structures.

Automated VM analysis systems can be tricked into thinking that a malicious element is harmless because they need to make quick decisions. Malware writers can simply program their creations to activate the payload only after a certain number of clicks, or after a specified number of system reboots. In some cases, the malware samples start sending false data when detecting a VM, either to confuse researchers or to trick automated systems. 

However, according to Symantec, many malware developers have come to realize that their creations become suspicious when they attempt to detect if they’re running in virtual machines. Moreover, they’ve also realized that by designing threats not to run on a VM, they’re limiting the number of devices they can compromise in a targeted network.

Symantec has analyzed 200,000 malware samples submitted by customers between January 2012 and February 2014. Researchers have noticed that during this period only one in five samples stopped running when detecting the presence of virtual machines, while the rest continued to function.

Virtual systems can be involved in two types of attacks: the malware targets the virtual machine from the host server, or it makes its way to the host server after infecting the virtual machine. One perfect example for the first scenario is the multi-platform malware dubbed Crisis, which infiltrates virtual machines stored on the local server. It does this not by exploiting vulnerabilities, but by taking advantage of the fact that the virtual system is actually a series of files stored on the disk.

The second scenario, in which the malware breaks out from the virtual machine and infects the host, is less common, but there are some known cases and such incidents can be highly dangerous, researchers warned.

“This guest-to-host infection or virtual machine breakout could lead to widespread malware infections across many computers,” Symantec said in a new research paper. “This would be bad for an environment where one hosting server runs many guest virtual machines, but could also impact security professionals who are using virtual machines to securely analyze malware. It is possible for malware to escape from a virtual machine system to the host server, depending on the presence of local vulnerabilities.”

This is the reason why the security company advises organizations to move past the misconception that virtual systems are immune to malware infections and ensure that they are properly protected. The list of recommendations includes hardening the host server, putting advanced malware protection mechanisms in place, including virtual machines in the patch and upgrade cycle, integration into SIEM visualization and logging systems, integration into disaster recovery and business continuity plans, and applying proper access control management.

Symantec is not the only company to warn organizations about such threats recently. Last week, at the Black Hat security conference in Las Vegas, Bromium researcher Rafal Wojtczuk pointed out that while hypervisors should normally reduce the attack surface, they can contain security vulnerabilities that put enterprises at risk.

The complete whitepaper, titled “Threats to Virtual Environments,” is available online.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.