The authors implemented a virus detection feature for virtual environments.
The internet has a new version of the Trojan Citadel which is able to detect the presence of virtual environments on the infected system. This information is provided by experts at antivirus company S21sec.
According to the researchers, the authors optimized the number of viral functions, as well as added a few new ones. Among other things, the Trojans got an improved encryption algorithm that allows to encrypt all network traffic during the session.
In S21sec also noted that the most important changes in the Trojans have been described by its authors at one of the underground forums before in the public domain. “Added antiemulyator, which allows you to protect your botnet on the reversing and getting into trackers” – the message say virus writers.
According to experts, when infecting the system trojan checks your computer for running processes such as the virtual environments VMware, Virtualbox, or CWSandbox. If it is determined that the system is running a sandbox, the Trojan creates a false domain, and is trying to contact him, imitating the disabled server. If this test was successful Citadel binds to this remote server.