Check Point builds encyclopedia of malware techniques that can bypass VMs

Security firm Check Point has created a catalog detailing the ways malware tries to detect virtual machines. The catalog is aimed at security researchers who run malware in VMs.

The security company’s Evasions Encyclopedia describes several techniques used by malware to detect if it is in a virtual environment. The ‘encyclopedia’ then also provides tips on how researchers can in turn circumvent such checks.

The catalog is divided into different categories. For example, there is a section about checks on the file system, firmware tables, CPUs and other hardware. Also, there is a special section that focuses only on macOS. Each section has a separate explanation of the techniques used, including code snippets to illustrate how they work. A number of categories, including ‘timing’, ‘WMI’ and ‘human behavior’, are currently empty. Check Point says those will be updated in the future. In principle, the described techniques focus on Windows, unless otherwise described, the makers say. The website uses a GitHub account that contains all the information. In the future, other researchers will also be able to upload information themselves, so that the website remains up-to-date.

Many malware creators allow their software to detect whether it is running in a virtual machine. If that’s the case, the malware often doesn’t work or destroys itself. That makes it difficult for security researchers to study the malware. The company admits to Bleeping Computer that the initiative can give other malware makers ideas and tips to better hide their malware. However, according to the company, the benefits for researchers outweigh those drawbacks.