Martin Overton IBM
download slides (PDF)
Virtual machines are widely used by malcode researchers to analyse new malware or to see what it does without risking a real machine. However, virtual-machine-aware malware now exists, which makes using them more problematic.
The beauty of using virtual machines is that they can easily be reset to a 'known clean state' as well as part of virtual networks shared by individual virtual machines. This means that you can simulate the Internet to allow analysis of worms, bots and other network-borne threats as well as traditional viruses, worms and trojans.
This paper will show how useful virtual machines are to security professionals, using VMware as a working platform. It will also discuss ways to use VMware not only to analyse what a new malware does, using numerous other tools, but also how to set up virtual machines and networks to capture malware. It will also discuss a selection of known anti-vm malware [including Conficker] and the ways they detect that they are running in a virtual machine.