One of our analysts has discovered something interesting while debugging the latest version of Flashback, a Mac trojan that attempts to trick people into believing it’s an Adobe Flash Player update.
Flashback.B performs a “vmcheck”. If virtualization is detected, the trojan aborts itself.
Apple started allowing users to run two additional instances of virtualized OS X with the release of Lion.
VMware-aware malware (say that ten times fast!) is a common anti-research technique used within the Windows ecosystem, but not yet so in Mac’s. It appears that Mac malware authors are anticipating that researchers will begin to use virtualized environments during analysis, and are taking steps to hamper such efforts.
Threat Solutions post by — Brod
Leave a reply