Malware Lab’s researcher Maciej Kotowicz has made an intriguing discovery that makes the Trickbot banking trojan even more of a threat. The most recent strain of the malware he looked at is sporting a new feature that allows the code to check the resolution of the screen on the machine it’s running on.
If it finds the resolution to be either 800 x 600, or 1024 x 768, which are commonly used on virtual machines to examine such code, the process will terminate.
This is both good news and bad. On the one hand, since most virtual machines run those resolutions, it makes detecting Trickbot a much more difficult proposition. Given that, it’s a safe bet that other forms of malware will soon be utilizing the technique to help them evade detection.
It does mean that if your monitor is configured to use either of those resolutions, you’re essentially immune to the malware, because it will assume you are a virtual machine and leave you alone. Unfortunately, those are relatively poor resolution choices and almost every modern PC is capable at running much higher (and more useful) resolutions, making it very much of a two-edged sword.
This is definitely something you want to make sure your IT staff is aware of so they can adjust their detection strategies when searching for, or investigating malware strains.
While it’s unlikely that any company would opt for an approach that sees them set screen resolutions Enterprise-wide at one of those two resolutions, in certain specific instances, it may be a viable mitigation strategy. Even if not though, this most recent discovery provides a valuable glimpse into the mindset and lines of thinking employed by hackers around the world. Stay vigilant. It’s dangerous out there.