As virtual machines and various emulators have become commonplace in analysis of malicious code, malicious code has started to fight back. This hot topic was recently covered at AVAR 2006 conference by Peter Ferrie, a researcher at Symantec anti-virus research center.
Ferrie has published a paper where he discusses how various virtual machines can be detected and how to defend against them. “The focus of the paper is the different ways in which various virtual machines can be detected. There are detections for VMware, VirtualPC, Parallels, Bochs, Hydra (though the published methods have since been fixed), QEMU, Atlantis and Sandbox, along with lots of source code,” writes Ferrie in a post on Symantec’s blog.
The full paper is available from here.