Adaptive dynamic malware analysis environment

What is claimed is: 1 . A computer-implemented method of analyzing malware, the method comprising: creating, by a number of processors, a number of virtual machines that simulate a number of computing environments; running, by a number of processors, a number of malware programs on the virtual machines; performing, by a number of processors, virtual machine introspection using a hypervisor as the malware programs run on the virtual machines, wherein the virtual machines and malware programs are unaware the virtual machine introspection is being performed; collecting, by a number of processors, behavioral data about the malware programs; and presenting, by a number of processors, the collected behavioral data to a user via an interface. 2 . The method of claim 1 , wherein the virtual machine introspection further comprises tracking all memory mappings in the virtual machines including libraries, operating system code, and malware program code. 3 . The method of claim 2 , further comprising: periodically copying the memory mappings as binary; and loading the binary into an interactive disassembler. 4 . The method of claim 3 , further comprising creating multiple copies of the memory mappings to analyze a program state at different times during execution. 5 . The method of claim 1 , further comprising: altering the computing environments simulated by the virtual machines to provoke changes in execution states of the malware programs; and mapping execution behaviors of the malware programs to specific computing environments. 6 . The method of claim 1 , further comprising: extracting memory from a running process; reconstructing unpacked memory in a packer agnostic manner; and extracting and analyzing packed executable code. 7 . The method of claim 1 , further comprising: receiving malware surveys; falsely responding to the malware surveys; and measuring differences in malware execution produced by the false responses. 8 . The method of claim 1 , further comprising: executing a singleton algorithm for a number of different malware programs; and determining similarities in execution among the malware programs. 9 . The method of claim 1 , wherein the virtual machines emulate a host and network environment. 10 . The method of claim 1 , further comprising: visiting a number of websites with the virtual machines; and analyzing the websites for malicious activity. 11 . The method of claim 1 , further comprising visually representing relationships among different malware programs according to domain name system, similarity of execution, and similarity of static analysis. 12 . A computer program product for analyzing malware, the computer program product comprising: a computer-readable storage medium having program instructions embodied thereon to perform the steps of: creating a number of virtual machines that simulate a number of computing environment; running a number of malware programs on the virtual machines; performing virtual machine introspection using a hypervisor as the malware programs run on the virtual machines, wherein the virtual machines and malware programs are unaware the virtual machine introspection is being performed; collecting behavioral data about the malware programs; and presenting the collected behavioral data to a user via an interface. 13 . The computer program product of claim 12 , wherein the virtual machine introspection further comprises tracking all memory mappings in the virtual machines including libraries, operating system code, and malware program code. 14 . The computer program product of claim 13 , further comprising instruction for: periodically copying the memory mappings as binary; and loading the binary into an interactive disassembler. 15 . The computer program product of claim 14 , further comprising instructions for creating multiple copies of the memory mappings to analyze a program state at different times during execution. 16 . The computer program product of claim 12 , further comprising instructions for: altering the computing environments simulated by the virtual machines to provoke changes in execution states of the malware programs; and mapping execution behaviors of the malware programs to specific computing environments. 17 . The computer program product of claim 12 , further comprising instructions for: extracting memory from a running process; reconstructing unpacked memory in a packer agnostic manner; and extracting and analyzing packed executable code. 18 . The computer program product of claim 12 , further comprising instructions for: receiving malware surveys; falsely responding to malware surveys; and measuring differences in malware execution produced by the false responses. 19 . The computer program product of claim 12 , further comprising instructions for: executing a singleton algorithm for a number of different malware programs; and determining similarities in execution among the malware programs. 20 . The computer program product of claim 12 , wherein the virtual machines emulate a host and network environment. 21 . The computer program product of claim 12 , further comprising instructions for: visiting a number of websites with the virtual machines; and analyzing the websites for malicious activity. 22 . The computer program product of claim 12 , further comprising instructions for visually representing relationships among different malware programs according to domain name system, similarity of execution, and similarity of static analysis. 23 . A system for analyzing malware, the system comprising: a bus system; a storage device connected to the bus system, wherein the storage device stores program instructions; and a number of processors connected to the bus system, wherein the number of processors execute the program instructions to: create a number of virtual machines that simulate a number of computing environments; run a number of malware programs on the virtual machines; perform virtual machine introspection using a hypervisor as the malware programs run on the virtual machines, wherein the virtual machines and malware programs are unaware the virtual machine introspection is being performed; collect behavioral data about the malware programs; and present the collected behavioral data to a user via an interface. 24 . The system of claim 23 , wherein the virtual machine introspection further comprises tracking all memory mappings in the virtual machines including libraries, operating system code, and malware program code. 25 . The system of claim 24 , wherein the number of processors further execute instructions to: periodically copy the memory mappings as binary; and load the binary into an interactive disassembler. 26 . The system of claim 25 , wherein the number of processors further execute instructions to create multiple copies of the memory mappings to analyze a program state at different times during execution. 27 . The system of claim 23 , wherein the number of processors further execute instructions to: alter the computing environments simulated by the virtual machines to provoke changes in execution states of the malware programs; and map execution behaviors of the malware programs to specific computing environments. 28 . The system o