As cybercriminals create a new piece of malware over another, security researchers and white-hat hackers are fighting back by analyzing these malicious software, usually by running virtual machines. This is done so the real system of the researchers will not be infected, and the malware can easily be terminated just by turning off the virtual machine.
However, it was recently discovered that malware writers are finding a way around this, by looking for the absence of documents to find out which systems are potential victims, and which ones are just being used for experimenting and analysis.
SentinelOne senior researcher Caleb Fenton discovered the new technique while trying to crack a piece of malware, which was packaged on a document with a macro. However, the worm refused to show itself, as it detected that the system showed no signs of having opened any Word documents.
"Most users, unless they just installed Word, are going to have opened more than two documents," Fenton said. "However, on a testing virtual machine (VM), the software is normally not "broken in."
Aside from being able to check for recently opened documents on the computer, he also found that to be able to see that it is really running on a VM, it will attempt to get information regarding the IP address. It will do a cross reference to check if the address matches a security vendor or a sandbox, and it will terminate if there is a match.
"If malware can be smart enough to know when it's being tested in a virtual machine, it can avoid doing anything suspicious or malicious and thereby increase the time it takes to be detected," Fenton stated.
Malware have been recently seen taking advantage of macros on Word documents, as they are seen as less suspicious compared to executables. They are usually disguised as some important document, and they would require potential victims to activate the macro to see the content.
At this point, as per usual, we advise our readers to be careful of the files they download on the internet. Malware today are becoming smarter and trickier as time passes by, and the best thing to always consider despite this is to stay protected.