Level 66
Content Creator
Malware Hunter
A new Malware Evasion Encyclopedia has been launched that offers insight into the various methods malware uses to detect if it is running under a virtual environment.

To evade detection and analysis by security researchers, malware may check if it is running under a virtualized environment such as virtual machine in VirtualBox and VMWare.

If these checks indicate that it is being run in a VM, the malware will simply not run, and in some cases, delete itself to prevent analysis.

The malware Evasion Encyclopedia

Created by Check Point Research, the Malware Evasion Encyclopedia is broken into different categories of information that a malware will use to detect if it is running under a virtual machine.

While sharing this information may allow malware authors to learn some new techniques, Check Point feels that the value to the information security community far outweighs any benefit to malware developers.

"It is our belief the value of sharing with the community is far greater than the risk of malware authors using this," Check Point Research told BleepingComputer.

The current sections in the encyclopedia with listed techniques are:
  • Filesystem
  • Registry
  • Generic OS queries
  • Global OS objects
  • UI artifacts
  • OS features
  • Processes
  • Network
  • CPU
  • Hardware
  • Firmware tables
  • Hooks
  • macOS
Inside each section are code snippets that illustrate how malware determines if it is running under a virtual environment and suggested countermeasures to defeat these checks.

For example, the 'Processes' section shows how malware checks for certain processes used by VMs, the 'Firmware Tables' section explains how malware looks for certain strings in the BIOS, and the 'Generic OS queries' section lists user names that are commonly looked for. [....]