Virtual machines for real malware capture and analysis

Martin Overton IBM

Virtual machines are widely used by malcode researchers to analyse new malware or to see what it does without risking a real machine. However, virtual-machine-aware malware now exists, which makes using them more problematic.

The beauty of using virtual machines is that they can easily be reset to a 'known clean state' as well as part of virtual networks shared by individual virtual machines. This means that you can simulate the Internet to allow analysis of worms, bots and other network-borne threats as well as traditional viruses, worms and trojans.

This paper will show how useful virtual machines are to security professionals, using VMware as a working platform. It will also discuss ways to use VMware not only to analyse what a new malware does, using numerous other tools, but also how to set up virtual machines and networks to capture malware. It will also discuss a selection of known anti-vm malware [including Conficker] and the ways they detect that they are running in a virtual machine.

 del.icio.us  digg this! digg this

Quick Links

Poll
The Japanese government is reported to have commissioned a 'defensive virus'. Is 'defensive' malware ever a good idea?
Yes
No
I don't know
Leave a comment
View 11 comments

99 Subscription Promo

Malware Prevalence
Autorun |#######|
Encrypted/Obfuscated |#####|
Heuristic/generic |#####|
Sality |####|
Zbot |####|
 View this month's full report

Virus Bulletin currently has 224,240 registered users.