Newer variants of the widespread Storm worm have introduced a new technique for evading security experts - detecting when they are running in a virtual environment and changing their behaviour if they are.
The innovation is an indication of how common virtualisation is becoming, and also shows how sophisticated the developers of malware such as Storm have become, according to Bojan Zdrnja, a handler with the Sans Institute's Internet Storm Center (ISC).
He said Storm is the most prevalent malware at the moment, using fake e-card emails that lead to a malicious website.
Zdrnja said the technique appears to be designed to set up roadblocks for security analysts, who normally use virtual machines to safely execute malicious code in order to analyse it. "The main reason their doing this is (presumably) to make analysis more difficult," Zdrnja said in a report on Thursday.
It means researchers have to either run the malware on a physical machine, modify the virtual environment to prevent detection or manually analyse the malware, Zdrnja said.
If Storm detects a virtual machine, it simply restarts the system without causing an infection.
Virtualisation allows several separate instances of an operating system to be run on a single hardware system. It has become popular in datacentres, largely through the efforts of VMware, and is becoming more widely used on the desktop, for instance with Parallels' virtualisation system for running Windows on Intel-based Macs.
Storm is designed to detect two virtual environments, VMware and Microsoft's Virtual PC, Zdrnja said. It detects VMware by looking for a particular number supported in VMware's I/O port - something that can be easily changed.
It detects VirtualPC by running illegal instruction opcodes, which generates errors only if the software is running on a physical system and not a virtual machine.
The technique is the latest sign of the new programming sophistication of malware writers, who are nowadays mainly working on a for-profit basis, according to security researchers. But the trick also means that the worm opts out of infecting virtual machines, Zdrnja noted.
"It will be interesting to see if malware authors will change this tactic in the future as the number of virtual machines will grow for sure," he said.