Over the years, malware developers and cybersecurity experts have been at war trying to one-up each other. Recently, the malware developer community deployed a new strategy evade detection: checking the screen resolution.
Let’s explore why screen resolution matters to malware, and what it means for you.
Why Malware Cares About Screen Resolution
To find out why malware cares about the screen resolution, we have to take a look at one of its worst enemies; the virtual machine.
Virtual machines are a useful tool for virus researchers. They act as a “computer inside of a computer,” so you can use another operating system without needing a new PC.
For example, if you have a Windows 10 computer but you want to use Linux, you can set up a virtual machine inside of Windows 10 to run Linux. It’ll act just like a Linux machine but runs in a window in Windows 10.
Virtual machines are highly useful to virus researchers, as they act as a digital venus fly trap. If a researcher believes a program or file contains a virus, they can test it by running it within a virtual machine.
If the file contains a virus, it will begin infecting the virtual machine. Because a virtual machine is set up like a real one, the virus believes it’s infecting a real PC and not a virtual one. As such, it begins delivering its payload and doing damage to the virtual machine. Fortunately, none of the damage a virus does “carries over” to the main computer; it only affects the virtual one.
Once the virus has given the game away, the researcher can study how it works then reset the virtual machine. They then take what they learned from the virtual machine and use it to create virus definitions to protect people’s real computers.
Because of this, virtual machines are the bane of malware developers. If someone suspects that a program harbors malware, they can boot it up in a virtual machine and scrub it away if it’s bad.
Where Does Screen Resolution Come Into This?
There is one flaw with this method of testing apps. When a malware researcher creates a virtual machine, they’re not really interested in all the additional features. All they need to test for viruses is a virtual machine that acts like a normal computer—everything else is optional.
As a result, researchers sometimes don’t install the VM’s guest software. This software enables additional features such as higher screen resolutions, which the researcher doesn’t really need. If the user doesn’t use the guest software, the VM typically locks the user into one of two low resolutions: 800×600 and 1024×768.
These two resolutions are important to a malware developer. Modern-day computers and laptops don’t typically come with screens at that resolution; it’s very outdated.
In fact, you can see how outdated it is on Statcounter, which collects information on the most-used resolutions. At the time of writing, resolutions tend to either be bigger or smaller than the above VM examples.
On one side of the spectrum, you have the standard 1366×768 resolution for laptops and 1920×1080 for PC monitors. On the other side, you’ll find tiny 360×640 screens in use—those are smartphones.
800×600 and 1024×768 don’t appear at all. The reverse of the latter, 768×1024, does exist; this is an iPad resolution. However, even this only takes up 2.6 percent, meaning 97.4 percent of devices use different resolutions.
How Malware Uses This Data to Avoid VMs
As such, when malware lands on a host computer and notes that it’s running on either 800×600 or 1024×768, it’s either on very outdated hardware or—more likely—they’re being watched within a virtual machine.
If the virus operates under this condition, it’ll give the game away right under the eyes of a virus researcher. As such, in order to protect its secrets, the malware instead self-terminates and does no damage.
From the researcher’s perspective, the program ran and didn’t infect the PC, so it must be benign. They may then assign a false negative report for the program, allowing the malware to travel further before it’s finally caught.
Examples of Resolution-Checking Malware in the Real World
Trickbot is an excellent example of this tactic out in the wild. Researchers managed to break into a recent strain of TrickBot’s code and analyzed how it works. One Twitter user known as Mak (@maciekkotowicz) found a chunk of code within TrickBot that scans for an 800×600 or 1024×768 resolution.
Today's #Trickbot loaders with a screen resolution #antivm trick, if you have 800×600 or 1024×768 resolution – you are safe! ;] cc @VK_Intel @James_inthe_box @JAMESWT_MHT @abuse_ch pic.twitter.com/mbGE5IwLH0
— mak (@maciekkotowicz) June 30, 2020
In this chunk of code, the virus grabs the X and Y values of the computer’s resolution then combines them to see the result. If the result equals either 800×600 or 1024×768, the code returns the number 0. This tells the malware that it’s running in a VM.
Once the malware knows it’s within a virtual machine, it self-destructs to avoid detection. As a result, anyone checking for viruses in a virtual machine will incorrectly deem it safe.
What This Tactic Means for You
Of course, this does mean that if you used a 1024×768 or 800×600 resolution, you will have protection from some strains of malware. As soon as they arrive, they’ll note your resolution and self-detonate before they do any damage. However, what you gain in protection, you’ll lose in your sanity by using a computer with such a cramped resolution!
As such, your best bet for fighting off this new strain of malware is to update your antivirus. Now that this anti-VM trick is public knowledge, it’s unlikely that the high-end security companies will be fooled again.
However, this is important to note if you have a tendency to test out files in your own virtual machines. If your VM is running at 800×600 or 1024×768, it’s worth setting it to a more popular resolution. If you don’t, you can’t be certain if the file you’re testing has this anti-VM precaution installed.
Staying Safe from Sneaky Viruses
With cybersecurity becoming the huge industry that it is, malware developers have to adapt to stay one step ahead. New strains of malware will evade capture if ran in an unprepared VM, so if you use VMs for virus testing, be sure to keep this in mind.
The best antivirus is common sense, so why not learn the easy ways to never get a virus?
Read the full article: How Malware Uses Screen Resolution to Avoid Detection
from MakeUseOf https://ift.tt/2XtKQYr
via IFTTT
0 comments: