Malware becomes more sophisticated with every passing day. As new technologies emerge, malware developers consider those technologies to determine whether they can help or hamper their malware. Virtual machine (VM) technology is certainly no exception. While VM technology has been around for a quite a while, it's popularity has begun to grow by leaps and bounds.

Security analysts often use VM technology to contain malware in a protected environment so that the malware can't harm the entire system or reach out to the network a machine might be connected to. Therefore VMs pose an obvious problem to malware writers, and naturally those writers have looked for ways to avoid analysis of their code in a VM environment.

Recently, Lenny Zeltser, incident handler for the SANS Institute, wrote that some malware developers use packagers that wrap malware in a manner that's designed to prevent reverse engineering. An added feature of some application packagers is to prevent the execution of a program in a VM environment if the packager detects the presence of a VM through any combination of the characteristic changes the VM makes to a running OS. While this sort of malware prevention is useful for legitimate software developers, it sometimes causes problems for malware analysts.

Zeltser reported that three of twelve malware specimens recently captured by SANS honeypots used VM detection, and those malware specimens refused to run when a VM was present. Two readers of Zeltser's report wrote to suggest that perhaps the tables could be turned on such malware developers by using malware's technology against the malware itself. The readers suggested that an emulator could be developed that simply poses as a VM without actually being a real VM. The benefit of this approach would be to protect a system against certain types of malware that use VM detection.

While to date no such technology exists, it does look like a viable solution to at least part of the ever-growing malware problem. It could be that we'll find such a feature embedded into future versions of various security products.