Malware detection systems often employ virtualized environments to enable suspicious objects, namely objects that are potentially malicious and may be classified as “malware,” to be safely analyzed during run-time in one or more virtual machines. Each virtual machine (VM) is provisioned with a guest image, where the guest image is configured in accordance with a particular software profile. Thereafter, a suspicious object is submitted to a selected VM provisioned with a software profile suitable for processing the suspicious object type. For example, where the suspicious object is a web page, the software profile may include a browser application that operates in concert with a specific type operating system (OS). As another example, where the suspicious object is an electronic mail (email) message, the software profile may include an email application that operates in concert with the same or a different OS.
For analyzing a suspicious object for malware, a virtual machine is provisioned with a guest image including software components that, when executed, perform operations substantially similar (if not identical) to the operations performed by a corresponding physical electronic device. For some suspicious objects including certain sophisticated malware, during processing by a virtual machine, the malware may cause a software application associated with the guest image to initiate system calls that request services from the guest OS. The services may include hardware-related service (e.g., accessing external storage (e.g., a hard disk or solid state drive, accessing a network controller, etc.). The sophisticated malware can use returned data from these system calls to determine whether it is operating within a virtual environment, and if so, halt operation to evade detection.
More specifically, certain malware has been designed to evade operation in virtualized environments by issuing one or more system calls for hardware-related services. The system call(s) cause the guest OS to obtain and return identifiers for certain components (e.g., input/output “I/O” controllers, etc.) within a network device processing an object (e.g., executable, document, etc.) infected with the malware. Based on these returned identifiers and the knowledge that certain I/O controllers are commonly used in malware detection systems, the malware may determine, with reasonable accuracy, whether or not the malware is operating within a virtualized environment. More specifically, by aggregating the returned identifiers and determining whether most, if not all, of these identifiers are associated with I/O controllers or other types of I/O devices commonly virtualized and used by malware detection systems, malware can evade detection by delaying operability.
Conventional malware detection systems are unable to curtail the above-identified evasion technique because virtualizing newly released I/O devices, especially I/O devices manufactured by another company, is extremely complex and costly.
Virtualization of an I/O device requires a substantial amount of time to complete. In addition, even though new virtualized I/O devices are implemented, the malware can quickly hamper conventional malware detection by simply updating its target device database and recognizing the newly added device identifiers as a standard component of a virtualized environment.