Over the years, malware developers and cybersecurity experts have been at war trying to connect each other. Recently, the malware development community adopted a new strategy that circumvents detection: checking screen resolution.
Let’s explore why screen resolution matters to malware, and what it means to you.
Why Malware Matters About Screen Resolution
To find out why malware cares about screen resolution, we need to look at one of its worst enemies; virtual machine
What is a virtual machine? Everything you need to know
Virtual machines are a useful tool for virus researchers. They act as a “computer inside the computer,” so you can use another operating system without having to have a new computer.
For example, if you have a Windows 10 computer but want to use Linux, you can configure the virtual machine within Windows 10 to run Linux. It works like a Linux machine, but works in a window in Windows 10.
Virtual machines are very useful for virus researchers because they act as a digital fly trap for Venus. If a researcher believes that a program or file contains a virus, he or she can test it by running it on a virtual machine.
If the file contains a virus, it will start infecting the virtual machine. Because the virtual machine is set to look like the right one, the virus believes it will infect the right computer and not the virtual machine. As such, it begins to deliver its payload and damage virtual machines. Fortunately, none of the damage caused by the virus “transfers” to the host computer; it only affects the virtual.
Once the virus has given the game away, the researcher can examine its operation and reset the virtual machine. They then take what they learned from the virtual machine and use it to create virus definitions to protect people’s real computers.
Because of this, virtual machines are a barrier for malware developers. If someone suspects that a program has malware, they can launch it on a virtual machine and clean it if it’s bad.
Where does the screen resolution come from here?
There is one flaw in this way of testing applications. When a malware researcher creates a virtual machine, they aren’t really interested in all the advanced features. All they need for virus testing is a virtual machine that works like a normal computer – everything else is optional.
As a result, researchers sometimes do not install VM guest software. This software allows for additional features such as higher screen resolutions that the researcher really doesn’t need. If the user is not using third-party software, the VM usually locks the user in one of two low resolutions: 800 × 600 and 1024 × 768.
These two resolutions are important for a malware developer. Modern computers and laptops typically do not have screens at this resolution; it is very outdated.
In fact, you can see how outdated it is StatCounter, which collects data on the most commonly used resolutions. At the time of writing, the resolutions are either higher or lower than the VM examples above.
On the other side of the spectrum is the standard resolution of 1366 × 768 laptops and 1920 × 1080 PC monitors. On the other hand, you’ll find small 360 × 640 screens in use – they’re smartphones.
800 × 600 and 1024 × 768 are not displayed at all. The reverse side of the latter, 768 × 1024, exists; this is the iPad resolution. However, even this takes only 2.6 percent, which means that 97.4 percent of devices use different resolutions.
How malware uses this information to avoid virtual machines
As such, when the malware lands on the host computer and finds that it is running at either 800 × 600 or 1024 × 768, it is either out of date hardware or, more likely, is being monitored on a virtual machine.
If the virus works in this mode, it will give the game away in the eyes of the virus researcher. To protect such secrets, the malware automatically ends and does no harm.
From the researcher’s perspective, the program ran and didn’t infect the computer, so it has to be benign. They can then give a false negative report to the program, allowing the malware to go further before they are finally caught.
Examples of checking the accuracy of malware in the real world
Trickbot is a great example of this tactic outdoors. The researchers managed to break into a recent strain of TrickBot code and analyze how it works. One Twitter user (@maciekkotowicz) as a Mak user found a snippet of code in TrickBot looking for a resolution of 800 × 600 or 1024 × 768.
Today’s #Trickbot loaders with screen resolution #antivm trick if the resolution is 800 × 600 or 1024 × 768 – you are safe! ;]cc @VK_Intel @James_inthe_box @JAMESWT_MHT @abuse_ch pic.twitter.com/mbGE5IwLH0
– mak (@maciekkotowicz) June 30, 2020
In this piece of code, the virus grabs the X and Y values of the computer’s resolution and then combines them to see the result. If the result is equal to 800 × 600 or 1024 × 768, the code returns the number 0. This tells the malware that it is running on the virtual machine.
When malware detects it on a virtual machine, it destroys itself to prevent detection. As a result, anyone scanning the virus on a virtual machine incorrectly considers it safe.
What this tactic means to you
This means, of course, that if you used a resolution of 1024 × 768 or 800 × 600, you have protection against some strains of malware. As soon as you arrive, they will notice your resolution and explode themselves before the damage. Whatever protection you get, however, you lose your mental health when you use a computer with such cramped resolution!
You think the best way to combat this new malware strain is to update your antivirus. Now that this anti-VM trick is common knowledge, it is unlikely that high-end security companies will be scammed again.
However, this is important to note if you tend to test files on your own virtual machines. If your virtual machine is running at 800 × 600 or 1024 × 768, you should set it to a more popular resolution. If not, you cannot be sure whether this VM precaution is installed in the file you are testing.
Staying safe from mysterious viruses
Cyber security is becoming a huge area where it is, malware developers need to adapt to stay one step ahead. New malware strains bypass hijacking if used in an unprepared VM, so keep this in mind if you use VM viruses for virus testing.
The best antivirus makes sense, so why not learn easy ways to never get a virus
10 easy ways to never get a virus
Notification of subsidiaries: By purchasing the products you recommend, you help keep your site alive. Read more.