Although they did not disclose any specific details about how the so called detection actually works, we could inspect it a bit further. It simply scans through the resources of the currently running processes and looks for specific patterns for instance inside the “CompanyName” field, such like:vmwaresandboxvirtualboxgeswallbufferzonesafespaceNevertheless, the tricky part comes here. When a virtualized environment detected, unlike many other Trojans that stop to work, Citadel will continue to operate, but behaves in a different manner. It will generate a unique-machine dependent domain name obviously fake and tries to connect to this server unsuccessfully, making it to believe that the bot is dead and its command and control server is offline, meanwhile the real C&C domain is kept hidden.


via S21sec Security Blog: Citadel Updates: Anti-VM and Encryption change.

2 comments so far

Add Your Comment
  1. Good post. I’m experiencing some of these issues as well..

  2. Hurrah! In the end I got a blog from where I be able
    to genuinely take useful facts regarding my study and knowledge.