Yet another reason why malware really bugs me….

Generally, most malware is completely unoriginal. The vast majority of the malware that we see does the same similar things over and over and over again. But occasionally, something comes through that lab that does something novel and almost interesting. We recently came across a sample that we noticed was inspecting the local system for the presence of Parallels guest tools.

Parallels is a company that produces virtualization software that allows Apple OSX users to run another operating system from within a virtual machine. For the average user, it allows them to run Windows from within Apple OSX. Now, there are lots of emulation and virtual machine checks out there, so that’s nothing new. But what made this one interesting was that it was specifically checking for the presence of Parallels specific guest os components. It specifically checks to see if it’s running in a Parallels guest OS. But why only check for Parallels? Why not VMWare or some other more common Virtualization, Emulator or Sandbox technology? Hmmmmm. Could this malware harbor an exploit or some other sinister piece of code that targets Parallels Virtual Machines???

Since our particular system that auto-analyzed this piece of malware didn’t have those components, and thus, didn’t show us what this malware would do it if was running in Parallels, I figured I’d take some time to statically analyze the malware ( to see what it would do if it found the Parallels tools it was looking for ). After working my way through the disassembly ( to the point where the malware checks for the presence of Parallels ),
it turns out that once this malware detects certain Parallel components…….
ida code
It just exits….

That’s it….

It’ll run in VMWare, Xen, QEmu, and countless sandboxes, but when it detects Parallels it doesn’t do anything that targets Parallels specifically.

It just bails….


So…. Why check for… Parallels at all?

I just wasted my time checking to see if this did something unusually nefarious and all it does is exit….?!?!? What the heck was the malware author thinking? Does (s)he have a soft spot for Parallels users? What?! Why?!… Arrgghhh

Stupid Malware Author!!!

Just when I didn’t think malware could possibly annoy me anymore than it already does…….