Malware Tries to Detect Test Environment

Post Syndicated from Bruce Schneier original

A new malware tries to detect if it’s in a virtual machine or sandboxed test by looking for signs of normal use and not executing if they’re not there.

From a news article:

A typical test environment consists of a fresh Windows computer image loaded into a VM environment. The OS image usually lacks documents and other telltale signs of real world use, Fenton said. The malware sample that Fenton found…looks for existing documents on targeted PCs.

If no Microsoft Word documents are found, the VBA macro execution terminates, shielding the malware from automated and detection. Alternately, if more than two Word documents are found on the targeted system, the macro will download and the malware payload.