Virtual Machines

From SpybotWiki
Jump to: navigation, search

Virtual Machines are a key instrument in analyzing malware, since they allow a separate environment that can be quickly reset.


Even if code runs in a virtual machine, that machine usually has network connections to the outside set up. It is essential to have a sensible setup everywhere else on the local network as well, which means for example absolutely no network shares that are not user/password protected, no XP machines that haven't seen a recent Windows Update, and similar standard security precautions.


Advanced malware might be able to detect that it is running in a virtual machine, and would then behave differently, making runtime analysis complicated. Our small tool VMDetectInfo demonstrates how many different criteria malware can use for this purpose.

Available Software

In alphabetical order. No recommendations given because the problematics described account for the need for more than one solutions to have at hand.


Bochs is aiming at emulating an x86 CPU, making it possible to port emulation even to other hardware platforms. It is open source.


QEMU is another solution that allows emulation of processor hardware, with more options than just the x86 CPU.

Virtual PC

Virtual PC is Microsofts virtualization solution. It is available as a free download in Microsofts download center.


VMware Workstation

VMware is probably one of the oldest commercial tools that allows you to use virtual machines, and grows more powerful with every release. The standard single user product is called VMware Workstation. It offers a GUI to set up virtual machines, and one of the most important features that was added in the last years were snapshots that allow you to jump between various states of a machine without having .

VMware Player

VMware Player is the lite version of the product above, without the ability to create new virtual machines and without snapshots. It might still be a good start to look into, since it is available as a free download.


Wine is not an emulator, but a subsystem layer for Linux/Unix. It can be helpful in automated malware analysis solutions, but needs good knowledge of the system to be set up correctly for this purpose. Wine has currently reached the first state describes as stable, it's version 1.0.