Saturday, January 8, 2011
Some thoughts on malware analysis and vmware
There are a number of different ways to examine malware, from using automated sites like threatexpert and virustotal to running your own sandbox locally (either on a physical machine or by using virtualization software like vmware). There are some in the malware analysis community who advocate using real hardware, as some pieces of malware have virtualization detection mechanisms built into them. Others point out that virtualization provides a greater level of flexibility and you can actually put measures in place for dealing with malware that tries to behave differently in a virtualized environment. I recently began to think a lot about this, since many companies are now using virtualization to a greater extent internally on things like webservers, as this can lead to lower costs and flexibility. It makes one wonder, does this mean that we are going to see a new trend in malware that ignores whether a machine is virtualized or not and just behaves the same anyway? If this does not appear to be the case, then does it mean that increased virtualization of both servers and desktops can actually reduce the likelihood of an organization being as heavily impacted by malware?