Chinese VM Detection, With a Splash of Adware

| | Comments (0)

Here's a nice find - a file that searches for a Virtual PC by means of a Registry check. If the Virtual Machine is detected, the install comes to a halt. If you're on a real computer, however, you'll find numerous files downloaded and installed onto your PC. Along with the usual Trojans, there's something called CPush:

vmdetect4.jpg

This is a Browser Helper Object related to Sogou, also from China:

http://blog.spywareguide.com/upload/2007/04/vmdetect7-thumb.jpg
Click to Enlarge

There are numerous other websites mentioned in files, install logs and executables - as usual, they vary from blank pages to game websites:

http://blog.spywareguide.com/upload/2007/04/vmdetect8-thumb.jpg
Click to Enlarge

Finally, some of the files make reference to a well known IRC Server used for Botnet activity - though we didn't see any live Botnet action while testing the files, there's nothing to say they couldn't install additional Bot components sometime after the initial hijack. We did find a Login page on one of the related sites, but that proves nothing - it could just as easily be an Admin Panel as it could a Command and Control Center:

http://blog.spywareguide.com/upload/2007/04/vmdetect6-thumb.jpg
Click to Enlarge

What's interesting here is that it seems to share some similarities with this Worm. They both seem to have emerged at the same time - I'd love to know which one came first, though I'd prefer it if they hadn't emerged at all...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: FSL Threat Research Team, WV

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on April 13, 2007 7:41 AM.

RSA 2007 Botnet Recap & Slideshow was the previous entry in this blog.

Beware: Phishing Attack Exploits Virginia Tech Tragedy is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.