Virtual Hard Disk Images Containing Malware Are Ignored by Windows and Antivirus Engines
This disturbing find by a CERT researcher demonstrates how attackers can encode malicious files within a Virtual Hard Disk (VHD) image that acts in the same way as a ZIP archive.
It’s not far-fetched to have a phishing attack include a ZIP file as an attachment, only to have the potential victim double-click it, reveal its contents in Explorer, and double-click the enclosed (and malicious) file. In fact, it actually happened this year to me!
Now, with Windows, files retrieved from an online location are given a Mark of the Web – which tells the OS to give the file limited trust and handle it with caution. Files of a ZIP filetype fall into this category. Windows can pop up OS and Office warnings if it feels that the file could be malicious.
But CERT researcher Will Dormann found that VHD and VHDX files – which interact with the Windows OS is nearly the same fashion as a ZIP file are not treated in the same manner. Instead, Window assumes because it’s purportedly a disk image for a VM, it must be harmless (right?).
As shown in the video linked below, Files that the Windows OS treats and potentially hostile within a ZIP file aren’t when contained in a VHD. Dorman used the EICAR standard file to trip virus detection.
https://www.youtube.com/watch?v=09GDJjBufdQ
Phishing attacks using a VHD as a replacement ZIP archive could be the difference between your security solutions stopping an attack, and one that makes its way into your network. Users need to be that additional line of defense, leveraging the knowledge gained through Security Awareness Training to have the where-with-all to not click an attachment or link that looks suspicious in the first place.
While a VHD-based attack hasn’t widely been seen in the wild, Dormann’s findings are now available for every cybercriminal to use.
Gloss