[Thrillington]

They're more analysis defeaters than killswitches. Some testbeds will respond to all dns lookups as valid. If this is the case the binary assumes its in a testbed and exits to avoid analysis.

[fian]

Which makes me think there might be utility in always running Windows (or other OSes) in a VM. If the malware assumes VMs are bad and self exit in response, then it should be safer to run everthing in a VM. A side benefit would be you can perform snapshot backups and easily migrate your main environment to new hardware.

[kchr]

You might wanna take a look at Qubes OS, which tries to provide such workflow in a nicely packaged distribution: https://www.qubes-os.org/

[ckaygusu]

I understand that it serves to defeat analysis, but... it sounds like it could be trivially circumvented. Why bother in the first place?