Detecting & Defeating Split Personality Malware
Security analysts extensively use virtual machines to analyze sample programs and study them to determine if contain any malware. In the process, if the malware destabilizes the guest OS, the users simply discard it and load in a fresh image. This approach increases their productivity. Since, naive users do not run virtual machines, malware authors have observed that it is a pretty good probability that their malware is being analyzed if it is being run in a Virtual Machine (VM). When these analysis aware malware detect the presence of VMs, they behave in a benign manner thus escaping detection.