We rely on a good amount of automation and virtualization in our battle against malware. Our opponents, malware authors, know this and they frequently employ new tactics to avoid being processed by our back end systems.
One particularly prevalent threat is a “banking trojan” called ZeuS. In the past, we’ve written about a ZeuS variant that might not infect slow computers as a result of aggressive anti-debugging techniques.
Well, today we analyzed a recent ZeuS variant and discovered that it checks to see if its environment is “normal” by looking for the presence of an audio card from the Windows Registry.
The entry checked is:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SW{96E080C7-143C-11D1-B40F-00A0C9223196}
If that entry isn’t found, it will create a stack overflow by entering infinite recursion. It most likely does this as an anti-virtualization measure. For example, it fails to run in some standard configurations of VMware. We (and most likely other AV vendors) don’t use standard visualization software in our automation. But this could possibly frustrate some more hands on analysts, such as those that work for bank security.
Here’s the variant’s SHA1: 73a7c4af7f0d9bc28e1a9f9c293009515dbb65ad
Analysis by — Marko and Mikko S.
Leave a reply
