Virtual Hard Disk Images Containing Malware Are Ignored by Windows and Antivirus Engines


This disturbing find by a CERT researcher demonstrates how attackers can encode malicious files within a Virtual Hard Disk (VHD) image that acts in the same way as a ZIP archive.

It’s common to have a phishing attack include a ZIP file as an attachment, only to have the potential victim double-click it, reveal its contents in Explorer, and double-click the enclosed (and malicious) file. In fact, it actually happened this year to me!

Now, with Windows, files retrieved from an online location are given a Mark of the Web – which tells the OS to give the file limited trust and handle it with caution. Files of a ZIP filetype fall into this category. Windows can pop up OS and Office warnings if it feels that the file could be malicious.

But CERT researcher Will Dormann found that VHD and VHDX files – which interact with the Windows OS in nearly the same fashion as a ZIP file are not treated in the same manner. Instead, Window assumes because it’s purportedly a disk image for a VM, it must be harmless (right?).

As shown in the video linked below, Files that the Windows OS treats and potentially hostile within a ZIP file aren’t when contained in a VHD. Dorman used the EICAR standard file to trip virus detection.

Phishing attacks using a VHD as a replacement ZIP archive could be the difference between your security solutions stopping an attack, and one that makes its way into your network. Your users need to be that last line of defense, leveraging the knowledge gained through Security Awareness Training to have the wits to not click an attachment or link that looks suspicious in the first place.

While a VHD-based attack hasn’t widely been seen in the wild, Dormann’s findings are now available for every cybercriminal to use. High time to put that VHD extension in your email filters and drop those in the bit bucket.

Free Ransomware Simulator Tool

Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 24 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

RansIm-Monitor3Here's how it works:

  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 25 types of infection scenarios
  • Just download the install and run it 
  • Results in a few minutes!

Get RanSim!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews