KnowBe4 Security Awareness Training Blog

Virtual Hard Disk Images Containing Malware Are Ignored by Windows and Antivirus Engines

Written by Stu Sjouwerman | Oct 11, 2019 11:19:53 AM

This disturbing find by a CERT researcher demonstrates how attackers can encode malicious files within a Virtual Hard Disk (VHD) image that acts in the same way as a ZIP archive.

It’s common to have a phishing attack include a ZIP file as an attachment, only to have the potential victim double-click it, reveal its contents in Explorer, and double-click the enclosed (and malicious) file. In fact, it actually happened this year to me!

Now, with Windows, files retrieved from an online location are given a Mark of the Web – which tells the OS to give the file limited trust and handle it with caution. Files of a ZIP filetype fall into this category. Windows can pop up OS and Office warnings if it feels that the file could be malicious.

But CERT researcher Will Dormann found that VHD and VHDX files – which interact with the Windows OS in nearly the same fashion as a ZIP file are not treated in the same manner. Instead, Window assumes because it’s purportedly a disk image for a VM, it must be harmless (right?).

As shown in the video linked below, Files that the Windows OS treats and potentially hostile within a ZIP file aren’t when contained in a VHD. Dorman used the EICAR standard file to trip virus detection.

https://www.youtube.com/watch?v=09GDJjBufdQ

Phishing attacks using a VHD as a replacement ZIP archive could be the difference between your security solutions stopping an attack, and one that makes its way into your network. Your users need to be that last line of defense, leveraging the knowledge gained through Security Awareness Training to have the wits to not click an attachment or link that looks suspicious in the first place.

While a VHD-based attack hasn’t widely been seen in the wild, Dormann’s findings are now available for every cybercriminal to use. High time to put that VHD extension in your email filters and drop those in the bit bucket.