Smarter Malware: Citadel Trojan Tweaked to Prevent Analysis on Virtual Machines

We all know hackers are smart. How else could they manage to code all those viruses, Trojans, and exploit kits that have been giving security experts so much hell over the past few decades?

More proof that they're smarter than the "good" guys and always several steps ahead is this recent update that they made on the Citadel Trojan. Experts from S21sec noticed that malware authors have tweaked the Trojan's code to include a mechanism that detects if it's being executed in a sandbox or virtual machine.

These are what security researchers normally use when they're studying viruses or picking apart Trojans and malware. The anti-emulator functions serves to "protect" the botnets from people who want to do some reverse engineering on the code.

When the malware is executed, it first checks to see if it's being run in applications like VMware, Virtualbox, or CWSandbox. If the check is positive, the Trojan keeps on running--but does so in a stealthier manner.

The Trojan creates a fake domain name and attempts to connect to it. This strategy should fool the researchers into believing that the command and control server cannot be reached and that the bot is dead. By closing all the processes related to VMware, such as vmwareuser.exeand vmwaretray.exe, experts forced the malware to begin working normally and connect to the real C&C server.

-- Eduard Kovacs, Softpedia security researcher

This spells an added challenge to security firms and researchers, who might actually have their machines infected in the process of studying these annoying bugs.

The change in the RC4 algorithm affects also how the Trojan communicates with its control panel, due to the same algorithm is used to encrypt network traffic. Therefore the new control panel won't be able to handle connections coming from older versions of the bot.

-- Mikel Gastesi and Jozsef Gegeny, researchers at S21sec