How a lower screen resolution or cheap monitors can save you from a new virus if your antivirus can’t

The developers of the popular TrickBot Trojan have added a dangerous new feature. According to experts in secure data erasure, this malware is now able to verify the resolution of the victim’s screen to detect if the malware is running on a virtual machine. Virtual machine scanning is a very common technique for preventing cyberattacks. 

Malware developers employ multiple techniques to detect whether malware is running on a virtual machine. If so, it is likely that the malware is being analyzed by an investigator, or in isolation in a custom sandbox environment. These techniques include searching for characteristic processes, Windows services, or machine names, as well as verifying network card MAC addresses or CPU features.

As reported by MalwareLab researcher Maciej Kotowicz, TrickBot analyzes the screen resolution on the infected system, which helps hackers determine if the malware is running in an isolated environment.

Although TrickBot began as a common banking Trojan, developers have included multiple features that make it one of the most dangerous malware variants nowadays. Among the features added to TrickBot are credentials stored in the browser theft, theft of databases in Active Directory, search of cookies, OpenSSH keys, among other malicious activities, as secure data erasure specialists mentioned.

In his investigation, Kotowicz mentions that a new sample detected from TrickBot is checking whether the screen resolution of the affected computer is 800×600 or 1024×768, and if so, TrickBot does not run.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es screenresolution.jpg
SOURCE: BleepingComputer

The secure data erasure expert notes that these particular resolutions are very common in the configuration of most VM deployments. 

In the configuration of these tools, researchers rarely install additional software to establish a higher screen resolution, in addition to modifying other functions (such as improved mouse management, network access, among others): “VirtualBox, for example, has a default resolution of 1024×768”, mentions Kotowicz. In other words, users using monitors with the above resolutions might be less prone to TrickBot infections, although it is worth mentioning that these are considered low quality resolutions, making daily work difficult.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.