Virtual disk attachments can be used to evade antivirus detection, researchers say

• Malware operators leverage virtual disk files to deliver their malware as VHD files can easily bypass Google security and evade detection by antivirus solutions.
• Gmail cannot mount VHD files because they’ve have not been considered as containers for delivering malware.

Security researchers have uncovered that virtual disk files can be used by malware operators to deliver their malware as VHD files can bypass Google security and evade detection by antivirus solutions.

A brief overview

Virtual disk files are locked containers that protect the items from online security defenses. VHD files are typically large in size but can be made small enough to fit in an email attachment.

Last week, vulnerability analyst Will Dormann last published research on VHD and VHDX files being treated like a black box by Windows and the operating system. Upon which, several security researchers tested VHD files for malware detections.

What did they find?

Security researchers tested VHD files with malware encapsulated in them to check the detection rate of multiple antivirus solutions. Antivirus software that normally detects the malware strains became blind to them.

Security researcher JTHL tested a sample of Agent Tesla info stealer embedded in a 7MB-large VHD file and fed it to various antivirus engines. The detection rate was minimal.

“.vhd malwarehttps://insights.sei.cmu[.]edu/cert/2019/09/the-da... … @wdormannstatic / dynamic .vhd are 2 different formats, neither well detectedagenttesla in 2 vhd's:statichttps://www[.]virustotal[.]com/gui/file/212ba2683d465b584b6863650a440365496a4a5819157b45bc7ac4709a69c04f/details …dynamichttps://www[.]virustotal[.]com/gui/file/79b5e758e049c118704209456a8bb549cb69cc3f74b9cd6e01d0a8bc8ffe6d05/details …
not detected by sophos endpoint. PAN Wildfire, Barracuda CPL + ATP + BESG,” JTHL tweeted.

Another security researcher Jan Poulsen tested VHD files by developing a script that mounted the VHD automatically and executed the malware inside. The researcher attached the malware embedded VHD file to a Gmail message, then downloaded the file with Google Chrome, and fed it to the antivirus engine. However, the malware inside the VHD file went undetected.

“Yesterday i did a full attach and execute script. Et will mount the .vhd automatically and execute the malware inside. At no point is the malware detected,” Poulsen tweeted.

The bottom line

Gmail blocks some file types in attachments that may distribute harmful software. However, neither Gmail nor Chrome can mount VHD files, because VHD files have not been considered as containers for delivering malware.

This is why malicious VHDs easily bypass Gmail and Chrome security and go undetected by antivirus solutions.