Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL
Help

Dynamic (Behavior) Analysis > Behavior Monitoring - Pg. 418

418 Chapter 9 · DIY Malware Analysis Tools & Traps Malware That Detects Virtual Environments A major drawback of this approach is that some malware may detect, or attempt to detect, whether it is running in a virtual machine or not. This has become a pretty common case today, as malware authors are aware of benefits that virtual machines offer for malware analysis. Malware that detects virtual machines will typically just exit upon detection, or perform some benign or innocuous action, making useful behavior analysis in a virtual environment almost impossible. In such a case, you might need to revert to physical machines or use static (code) analysis as a replacement or supplement to the virtual environment. Themida is an example of a well-known packer that detects virtual machines and stops the executable from running. Peter Ferrie's paper "Attacks on Virtual Machine Emulators" considers known attacks on VMware and Virtual PC, as well as other virtual machines such as Hydra and Xen (http://pferrie.tripod.com/papers/attacks.pdf).