One of our analysts has discovered something interesting while debugging the latest version of Flashback, a Mac trojan that attempts to trick people into believing it's an Adobe Flash Player update.

While comparing the differences between Flashback.A and Flashback.B, he saw this routine:



Flashback.B performs a "vmcheck". If virtualization is detected, the trojan aborts itself.

Apple started allowing users to run two additional instances of virtualized OS X with the release of Lion.

VMware-aware malware (say that ten times fast!) is a common anti-research technique used within the Windows ecosystem, but not yet so in Mac's. It appears that Mac malware authors are anticipating that researchers will begin to use virtualized environments during analysis, and are taking steps to hamper such efforts.

Threat Solutions post by — Brod