Help Net Security – (International) Shylock's new trick for evading malware researchers. The Shylock financial malware platform continues to evolve to bypass new defensive technologies put in place by financial institutions and enterprises. While analyzing a recent Shylock dropper, Trusteer noticed a new trick it uses to evade detection. Namely, it can identify and avoid remote desktop environments – a setup commonly used by researchers when analyzing malware.
The latest Shylock dropper detects a remote desktop environment by feeding invalid data into a certain routine and then observing the error code returned. It uses this return code to differentiate between normal desktops and other "lab" environments. In particular, when executed from a remote desktop session, the return code will be different, and Shylock will not install. It is possible to use this method to identify other known or proprietary virtual/sandbox environments.