Via the Internet, individuals and organizations with malicious intent distribute software that damages computer systems and/or is used to steal the personal information of users (including individual users or entities such as companies). Such malicious software, or malware, often exploits code vulnerabilities and/or gets installed onto users' computer systems by tricking users into taking some action.
To protect against malware, contemporary anti-malware software uses a variety of mechanisms to catch and quarantine malware, including by looking for patterns in the malware, referred to as signatures. One way malware authors try to avoid anti-malware detection is by obfuscating the underlying code and/or making it somewhat polymorphic so that its signature and behavior are not readily detectable.
Malware may be detected by emulation, in which the code is run in an emulation environment to look for patterns of behavior and other actions that malware needs to perform in order to accomplish its purpose. One way in which malware has evolved to avoid detection by emulation uses obfuscator packing, using a virtualizer packer, which creates its own virtualization-based protection with its own custom byte codes (“virtual machine protection”). In general, the malware's original instruction code is translated to a custom “bytecode” language. The distributed malware also includes an emulator or interpreter that understands this bytecode, and can emulate or interpret such instructions to achieve the same behavior as the original, native code would. One side-effect of virtualization is that the virtualized code uses significantly more instructions, compared to native code, to achieve any given task, e.g., a typical interpreter needs to execute hundreds of native instructions in order to interpret a single bytecode instruction. In addition to this, malware often uses redundant or useless instructions, both in the bytecode and in the interpreter itself, to further slow down its execution. Indeed, the time taken to emulate such virtualization-protected malware with existing emulation mechanisms, while possible, is typically too long to be feasible and acceptable to be performed on a customer's machine.