I often overhear talk about so called next generation anti vm, sandnet and debugger techniques and their *widespread* use by modern malware, and how this is hurting modern day automated malware analysis and detection. Well I find the facts are quite different. Most of these claims don't provide good evidence and I consider them little more than an attempt to create FUD (Fear, Uncertainty and Doubt). The reality is that after the good old days of IRC bots which were created mostly for fun, the majority of commercial malware shown no interest in detecting VMS and/or debuggers. Why? I will come to the reasons later.
A while back, I talked about the world's top 20 malware list based on FireEye's real time data feed. None of these malware families except for Conficker (number 11) try to detect virtual machines. What about taking into consideration the top 10 malware list given by Microsoft a while back? I can prove that none of these top 10 malware try to detect a Virtual Environment.
How many malware families try to detect popular, publicly available sandnets like ThreatExpert? See for yourself.
Continue reading "The Dead Giveaways of VM-Aware Malware " »
