Most security software doesn’t detect malware present in Virtual Hard Disk file format

Will Dormann, a vulnerability analyst for the Software Engineering Institute, recently discovered that Microsoft’s WindowsDefender security software will actively ignore certain content. Under normal circumstances, Microsoft will analyze and detect according to the file type, even if it is a compressed package or another format of the archive file will automatically detect its content. Surprisingly, Microsoft automatically ignores images of all virtual hard disk (VHD & VHDX) formats and can reach the user’s computer even if it contains malware.

The virtual hard disk format is VHD and VHDX. The virtual hard disk may contain the contents of the physical hard disk such as the partition of the hard disk and the file system of the disk. The important thing is that the virtual hard disk format user can open and browse the content directly, which means that the attacker can induce the user to load malware. Under normal circumstances, whether the user downloads the file through the browser or email, Microsoft will detect and analyze whether the content is harmful. It is still a mystery why Microsoft ignores virtual hard disk images, but research has found that at least virtual hard disk images can be used as a carrier for malware.

After analyzing the problem with WindowsDefender, vulnerability analyst Will Dormann turned to other virtual antivirus engines to test the virtual hard disk. Surprisingly, the 55 anti-virus engines called on the VirusTotal website did not have any engine successfully detected malicious files contained in the virtual hard disk. This means that most of the world’s mainstream security software ignores the detection of virtual hard disk images, even if the malware contained therein is only a very common type. So for now, if an attacker uses a virtual hard disk image to spread the virus, most security software will not analyze it and will not intercept it.

Via: Carnegie Mellon University