Showing posts from November 19, 2006

Faking a Virtual Machine

One of the more popular trends in the recent years is the move of malicious code analysts towards virtual machines to test and reverse-engineer malicious code. And surprisingly the virus/worm writers have been adding mechanisms to their code to detect such environments. I came across this particular piece of software called Themida which does exactly that. Lenny Zeltser from SANS reports about this on SANS . Whats interesting is that this kind of detection is now part of commercial packers around the world. The question I have is this, how long will it take for someone to come up with a VMWare/Virtual Machine simulator/faker which I can run on my perfect non-virtual desktop/laptop/server and make malwares believe its running inside a Virtual machine ? If that can kill even a small percent of fresh 0-day worms/viruses, it would be worth the effort. Wouldn't it ?