Malware Tries to Detect Test Environment

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/09/malware_tries_t.html

A new malware tries to detect if it’s running in a virtual machine or sandboxed test environment by looking for signs of normal use and not executing if they’re not there.

From a news article:

A typical test environment consists of a fresh Windows computer image loaded into a VM environment. The OS image usually lacks documents and other telltale signs of real world use, Fenton said. The malware sample that Fenton found…looks for existing documents on targeted PCs.

If no Microsoft Word documents are found, the VBA macro code execution terminates, shielding the malware from automated analysis and detection. Alternately, if more than two Word documents are found on the targeted system, the macro will download and install the malware payload.