Hackers foil researchers

Hackers are adding virtual machine detection to their worms and Trojans to stymie analysis at anti-virus labs, reports ITNews.

The tactic is designed to thwart researchers who use virtualisation software, notably that made by VMware, to quickly and safely test the impact of malicious code.

Researchers will often run malware in a virtual machine to protect the system's actual operating system from infection; virtualisation software also lets analysts test malware against multiple operating systems on a single computer.

Hackers have posted code that could be used to target Microsoft's Windows operating system in a worm attack. The code, which was published on the Milw0rm Web site, works on the Windows 2000 operating system.

It takes advantage of a flaw in the Windows Workstation service, which is utilised for file-sharing or printing over the network.

When Microsoft patched this flaw in its monthly batch of security fixes earlier this week, security vendors had warned that this was one of the most critical of the November updates, and could possibly be exploited in a self-replicating worm.

Researchers at McAfee's Avert Labs have warned of a new worm, dubbed 'W32/Realor', which doctors the contents of Real Media files (.rmvb) to redirect users to potentially dangerous URLs.

The worm does not infect the media files in the standard sense, but instead manipulates the functionality of Real Players to redirect anyone trying to view the files to a Web site - generally one containing an exploit enabling drive-by downloads. From there further copies of the worm or other malware can be installed to vulnerable systems.

"As Avert researchers point out, the main danger of this worm lies in the public's general assumption of safety when handling media files," said John Hawes, technical consultant at Virus Bulletin.