Help Net Security – (International) Shylock’s new trick for evading malware researchers. The Shylock financial malware platform continues to evolve in order to bypass new defensive technologies put in place by financial institutions and enterprises. While analyzing a recent Shylock dropper Trusteer noticed a new trick it uses to evade detection. Namely, it can identify and avoid remote desktop environments – a setup commonly used by researchers when analyzing malware. The latest Shylock dropper detects a remote desktop environment by feeding invalid data into a certain routine and then observing the error code returned. It uses this return code to differentiate between normal desktops and other “lab” environments. In particular, when executed from a remote desktop session the return code will be different and Shylock will not install. It is possible to use this method to identify other known or proprietary virtual/sandbox environments as well.
Ali Loney, on November 30, 2012