Virtual Analysis Misses More Than 30 percent of Malware

Antone Gonsalves June 21, 2012
Virtual Analysis Misses More Than 30 percent of Malware
Approach needs to shift away from assuming malware can be prevented from entering a network, security expert says.

Roughly a third of malware sent to a virtualized environment for analysis is able to elude detection, a security expert says.

Security vendors sell virtualized appliances to run and analyze the behavior of suspicious applications to identify malware, determine how it entered a network and then plug vulnerabilities. Over the last few years this technology has been used, cyber criminals have found ways to make their malware appear benign in such environments.

"Overall, there are so many ways malware can uncover it is inside a virtual environment that it is practically impossible to completely obscure from malware that it's running inside a virtualized environment," Gunter Ollmann, vice president of research at malware analysis company Damballa, said Tuesday. Damaballa's customers include telcos, internet service providers and Fortune 1,000 companies.

Of course, the flipside is malware detection systems today correctly identify two thirds of the malicious apps entering an organization via email attachments, USB devices or Web sites. Nevertheless, the cautionary note is to emphasize the sophistication of malware developed by cybercriminals today, which demands a layered approach to security. Antvirus systems alone can catch known malware, but new apps go undetected because they do not contain the watched-for code sequences.

Hackers have multiple evasive techniques against AV technology. Those include encrypting the malicious file or compressing it, so it has to be unpacked before it can be checked, an additional step not normally performed by AV software.