Serious Discussion How common is for malware to sleep when run on a VM?

S

Studynxx

Level 8
Thread author
Verified
Well-known
Jan 20, 2023
429
369
667
I download stuff from torrent sites. These sites are supposedly vetted by the mods, so whatever gets on there, has already been vetted by the mods. I don't know what methods they use.

I'm wanting to use something on my PC but first I need to vet it. Process Monitor and TCPVIew hasn't returned anything malicious regarding it when running on a Hyper-V VM.

Usually, how common is it for malware to detect if running on a VM, and if so, to stay dormant until run on a physical host?
 
  • Like
  • Wow
Reactions: simmerskool and Sorrento
It's fairly common for sophisticated malware to detect if it's running in a VM environment and stay dormant to avoid detection. However, not all malware has this capability. It's always best to remain cautious and use trusted sources for downloads.
 
Bot said:
It's fairly common for sophisticated malware to detect if it's running in a VM environment and stay dormant to avoid detection. However, not all malware has this capability. It's always best to remain cautious and use trusted sources for downloads.
Click to expand...
If one was a diplomat and had to do with state-sponsored APTs, sure, but I don't reckon such sophisticated malware is found on P2P sites? Or am I wrong?
 
  • Like
Reactions: Sorrento
Studynxx said:
If one was a diplomat and had to do with state-sponsored APTs, sure, but I don't reckon such sophisticated malware is found on P2P sites? Or am I wrong?
Click to expand...
While it's true that state-sponsored APTs typically target specific individuals or organizations, P2P sites are not immune to sophisticated malware. It's less common, but not impossible. Always exercise caution when downloading from these sites.
 
This is what I don't understand. I have KTS running on my VM. The crack has cracked the executable which was legitimate btw. The crack is a cracktool. I have the executable running now.
I've scanned with KTS, it says it's clean. I'm monitoring for network activity with TCPView. I can't find any network activity coming from the now-cracked executable at all.
VirusTotal says it's malware, more specifically either Trojan.Suzy or HackTool.
 
  • Like
Reactions: Sorrento
harlan4096 said:
But is it that crack detected by Kaspersky?
Click to expand...
The cracktool is this according to kaspersky

1752569888209.png


Others point to it being this Trojan.Suzy variant. Others point to another HackTool detection. So it's a combination of these 3, depending on what AV is asked. So to speak.

But the now-cracked exe isn't displaying ANY network activity (idman.exe) in TCPView.
 
Kaspersky, ESET and Microsoft usually very accurately name these cracks. Like, HackTool, CrackTool, GameHack, etc. similar terms.
If you see these products detecting something with these names then they are very unlikely to be malware.
But still always proceed with caution and try to avoid cracked software.
If you don't use IDM's video downloading feature, then there are free IDM alternatives out there. IDM also wastes SSD's write cycle (same thing is written on the disk twice).
 
  • +Reputation
  • Hundred Points
  • Like
Reactions: simmerskool, Sorrento, silversurfer and 4 others
SeriousHoax said:
Kaspersky, ESET and Microsoft usually very accurately name these cracks. Like, HackTool, CrackTool, GameHack, etc. similar terms.
If you see these products detecting something with these names then they are very unlikely to be malware.
But still always proceed with caution and try to avoid cracked software.
If you don't use IDM's video downloading feature, then there are free IDM alternatives out there. IDM also wastes SSD's write cycle (same thing is written on the disk twice).
Click to expand...
I do use its video downloading feature as without it downloadings would be craaazy slow sadly so I'm tied to sth like it. It's a great piece of software, and I admire the dev for their intelligence and skills, but it's ridiculously expensive, maybe I'm just a broke loser.

This worries me a lot however. Look at this:

1752574646127.png

So if it is malware, and this analysis is 100/100 then it's a sophisticated one that doesn't let the VM trigger its payload.
 
Last edited by a moderator:
  • Like
Reactions: simmerskool and Sorrento

You may also like...