Windows operating system and antivirus software treat VHD and VHDX disk image downloads like a black box. Scanning the files inside these containers does not happen until the image is mounted and the files run.

VHD and its newer version, VHDX, are disk images that appear and behave like a physical drive when opened in Windows.

Attackers can slip malware inside the disk images and lure potential victims to get them from an online location to bypass initial defenses in Windows.

Antivirus engines are also tricked, as they don't check inside these containers, discovered Will Dormann, vulnerability analyst at CERT/CC.

Online origin not flagged

Windows grants different levels of trust to files, according to their origin. Normally, data fetched from an online location are more likely to be malicious and is handled with more caution.

For files originating from the Internet, Windows marks a downloaded file with a Mark of the Web (MOTW) label so that it knows to grant them limited access to machine resources. Users will see warnings about the potential risk of running these files and are typically required for consent to execute them.

MOTW is applied to all files originating from an online location, including the individual items in containers such as archives, provided that Explorer or a compliant ZIP tool is used.

However, the same does not apply to VHD and VHDX files, which behaves similarly to a ZIP archive in that content is shown by just double-clicking the file.

"Any file contained within a VHD or VHDX file will not receive the same protections that Windows provides against files that originated from the Internet."

To demonstrate this, Dormann recorded a video showing how Windows defenses kick in when launching malicious files in a ZIP and lay dormant when the container is a VHD.

No reaction from AV, either

Antivirus software will make the same discrimination. The researcher ran a test with a VHD that included the EICAR standard file for obtaining a detection reaction from antivirus products.

None of the scanning engines on the VirtusTotal platform flagged the VHD container as a potential risk.

In an enterprise environment, Dormann says that impossibility to scan these files leaves a blind spot until they reach an endpoint where the on-access scan from a security solution can kick in.

"If the contents of VHD and VHDX files are not scanned by email and web gateway security products, those products have no hope of detecting malware contained within VHD or VHDX files."

The results are pretty much the same when using a real threat. Security researcher JTHL carried out the same experiment using a variant of Agent Tesla infostealer in a VHD container; the malware passed virtually undetected.

.vhd malwarehttps://t.co/n3vU3CNXNM @wdormann



static / dynamic .vhd are 2 different formats



neither well detected



agenttesla in 2 vhd's:



statichttps://t.co/MOvdCWS6v2



dynamichttps://t.co/yK1h4EBv0B



not detected by

sophos endpoint

PAN Wildfire

Barracuda CPL + ATP + BESG pic.twitter.com/zZkyvl5AlE — JTHL (@JayTHL) September 5, 2019

Even if they don't carry the MOTW flag and can be opened with a double click, IMG and ISO images were treated differently by antivirus solutions on VirusTotal.

Dormann ran the same EICAR experiment with these types of images and received an alert from multiple security products, albeit the detection rate was still low.

The researcher has some recommendations for enterprises that want to improve their defenses against attack scenarios: