Malware is often environmentally sensitive. It doesn’t want to run in a sandbox, it wants full access to the Internet. Researchers use a sandbox so they don’t contaminate their system or find themselves part of a malicious botnet, but malware authors would (of course) rather be on the Internet to accomplish their tasks.
The malware authors have checks built in to look for things like no internet access, virtual hardware, virtual machines, or any warning signs that the malware is on a system designed to analyze it. The malware would rather not be on a virtual couch talking to Dr Freud, so they either refuse to run or obfuscate their true intentions.
This makes the assumption that all virtual machines are the tools of malware analysts. In the future, we think that malware authors are going to realize that they’re leaving out a potentially large group of systems they could be using and will drop that assumption from their files.
What other assumptions does malware make that will change?