Virtual machines for real malware capture and analysis

Martin Overton IBM

  download slides (PDF)

Virtual machines are widely used by malcode researchers to analyse new malware or to see what it does without risking a real machine. However, virtual-machine-aware malware now exists, which makes using them more problematic.

The beauty of using virtual machines is that they can easily be reset to a 'known clean state' as well as part of virtual networks shared by individual virtual machines. This means that you can simulate the Internet to allow analysis of worms, bots and other network-borne threats as well as traditional viruses, worms and trojans.

This paper will show how useful virtual machines are to security professionals, using VMware as a working platform. It will also discuss ways to use VMware not only to analyse what a new malware does, using numerous other tools, but also how to set up virtual machines and networks to capture malware. It will also discuss a selection of known anti-vm malware [including Conficker] and the ways they detect that they are running in a virtual machine.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.