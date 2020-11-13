When a new virus appears, security experts try to quickly find out how it works to create antivirus programs – or updates to them – that stop them and, in this way, guarantee the security of the computers.

Computer security experts often analyze viruses and malware on virtual machines

During the study process, the experts resort to recreating a test scenario, using virtual machines, generating operating system mirrors that works within the same computer. That is, it would be a kind of PC within another PC, where you can use two identical operating systems (Windows and Windows) or different (Windows – Linux) and use both without interfering with each other, because they are completely independent. So they can test for these viruses without compromising the main operating system.

Well, the developers of these viruses, malware and malicious software have detected that security experts use virtual machines as test systems, so they have devised a formula to detect when one of these secondary systems is used and that the virus behaves differently.

To do this, they use “screen resolution”. Security experts generally do not install display management software for the virtual machine (not required) in which the resolution can be edited. They tend to leave the ones that the system brings by default, which are generally 800 x 600 pixels or 1024 x 768 pixels.

These are old resolutions, which are not supported by most new equipment. For this reason, hackers now program viruses to detect screen settings, and if it corresponds to 800 x 600 pixels or 1024 x 168 pixels, the virus recognizes that it is not on a real machine but on a virtual one. So it behaves differently.

In fact, when the virus detects that it is in a virtual environment, what it does is self-destruct, rendering the attack ineffective and making it undetectable to the security expert, who, unable to identify or see it, qualifies it as benign or harmless. This would be a “false negative” that it would allow to pass the antivirus security filters and antimalware programs. When the virus reaches a computer that is not a virtual machine, it does detect a better screen resolution there and acts with total lethality.

