Most malware uses anti-debugging techniques to avoid detection or
make analysis harder. One example of this is by using the api
IsDebuggerPresent. This Api seems to be the favorite choice of
malwares other than SEH.
But I just found out a new anti-debugging technique (at least new
in my book, as Im still beginning at the AV business… :p)
VMWare, a popular multi-function virtualizer for Windows and Linux
is one of the tools used in this kind of business. Sadly enough,
with just a few code, a malware can Identify if it is running on a
VMWARE machine and not on the actual environment.
The malware can just check this registry,
HKEY_LOCAL_MACHINESOFTWAREVMware, Inc.Vmware Tools
If existing, the malware automatically creates a batch file to
delete itself leaving no trace of it ever running. So for the
Service Team, don’t always trust your vmware results.
Or you can also just rename the registry to say
HKEY_LOCAL_MACHINESOFTWAREVMware, Inc.Vmware Tools1
After renaming this registry, I tested again the malware and it was
now executing like it would on a normal environment.
The malware that Im talking about here has already been passed to
the service team and word is, it would be detected as
WORM_SDBOT.COQ.
