Abstract

Malware analysis relies heavily on the use of virtual machines for functionality and safety. There are subtle differences in operation between virtual machines and physical machines. Contemporary malware checks for these differences to detect that it is being run in a virtual machine, and modifies its behavior to thwart being analyzed by the defenders. Existing approaches to uncover these differences use randomized testing, or malware analysis, and cannot guarantee completeness.

Date

September 13, 2025

Authors

Hao Shi, Abdulla Alwabel, Jelena Mirkovic

Conference

23rd USENIX Security Symposium (USENIX Security 14)

Pages

271-285