Thanks to EKWatcher and his decoding skills saving me a lot of time.
As we can see more and more of those "XMLDOM" checks in exploit kits i decided to write here some of the checks spotted. This is a fast moving area and it will be hard to keep up to date with this, but this may give an idea of how it's being used.
2015-05-16 [Edit : I know that here some information are not totally exact]
+="Malwarebytes Anti-Exploit\\mbae.exe", "Malwarebytes Anti-Malware\\mbam.exe", "FiddlerCoreAPI\\FiddlerCore.dll"
Angler EK checks integrates MBAE and Mbamhttp://pastebin.com/0LrAy9gm
'res://C:\\Program Files (x86)\\Fiddler2\\Fiddler.exe/#3/#32512'
+ Avoid firing CVE-2013-2551 if Symantec product are detected (maybe also for CVE-2014-0322. Didn't check),
+Checks for :
res://C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567', 'res://C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996', 'res://C:\\Program Files\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110',
'res://C:\\Program Files\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204'];
http://pastebin.com/EAKZk43e 2014-10-01Previously :
Astrum EK :
Nuclear Pack :
Gathering samples by browsing requires hardening too. Nuclear Pack tries to detect VMWare now. pic.twitter.com/W9Z1bgUJyv
— kafeine (@kafeine) September 28, 2014
Attackers abusing Internet Explorer to enumerate software and detect security products - Jaime Blasco - AlienVault - 2014-07-25