Here's a VERY interesting read from the legendary Ed Skoudis and Tom Liston, about some recent observations in attack code. Basically, code is surfacing that detects whether the machine is 'real' or virtual. The authors offer an explanation to the effect of "attackers perceive that a lot of honeypots are running as VM's, therefore their code doesn't execute on VM's in an effort to avoid detection".
Of course, VMware marketing are already trying to put a "VM's are more secure than physical boxes" spin on it, but really they are doing themselves more harm than good... I can only assume they didn't see the last few slides that demonstrate the isolation of VM's is somewhat questionable (I'm sure you'll agree when you see them). VM isolation is something VMware has aggressively defended in the past... I remember a whitepaper they released not so long ago in response to someone who was questioning storage isolation. That person clearly had no idea how VMware actually works, unlike Liston & Skoudis.
