Detection of VM-Aware Malware

VM-aware malware is a class of malicious software that can detect whether it is running in a virtualized environment and alter its behavior based on this result. As much of today's malware analysis is done on virtual machines, this type of malware can successfully evade observation and inspection. Currently, analysts often compare the behavior of malware in a physical host to its behavior in a virtual machine. Unfortunately, this painstakingly manual procedure does not lead to the identification or subversion of detection mechanisms used in malware. In this paper, the authors present two complementary techniques that promote the identification of VM detection behavior in VM-aware malware.