2012
07.02

[..]

Although they did not disclose any specific details about how the so called detection actually works, we could inspect it a bit further. It simply scans through the resources of the currently running processes and looks for specific patterns for instance inside the “CompanyName” field, such like:vmwaresandboxvirtualboxgeswallbufferzonesafespaceNevertheless, the tricky part comes here. When a virtualized environment detected, unlike many other Trojans that stop to work, Citadel will continue to operate, but behaves in a different manner. It will generate a unique-machine dependent domain name obviously fake and tries to connect to this server unsuccessfully, making it to believe that the bot is dead and its command and control server is offline, meanwhile the real C&C domain is kept hidden.

[..]

via S21sec Security Blog: Citadel Updates: Anti-VM and Encryption change.