Measuring virtual machine detection in malware using DSD tracer

Most methods for detecting that a process is running inside a virtual environment such as VMWare or Microsoft Virtual PC are well known and the paper briefly discusses the most common methods measured during the research. The measurements are conducted over a representative set of malicious files, with special regards to packer code. The results are broken down with respect to malware category, families and various commercial and non-commercial packers and presented in a graphical and tabular format. The extent of virtual machine detection problem is estimated based on the results of the research. The main subject of the paper is measurement of actual usage of Virtual machine detection methods in current malware. The research uses DSD Tracer, a dynamic-static tracing system based on an instrumented Bochs virtual machine. The system employs tracing to produce traces of execution that can be scripted or used as a basis for disassembly/emulation in IDA Pro when combined with a customised version of IDAEmul (emulator). The paper gives an overview of design and usage of DSD Tracer.