A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #23055  by R136a1
 Fri Jun 06, 2014 12:50 pm
Hi,

catched this tool while searching for some interesting malware samples. Seems to be a collection from existing detection techniques for VirtualBox. Please correct me if I'm wrong.

Presentation: http://prezi.com/ade84h1xwnzl/antivirtu ... neevasion/ (Korean)
Source: https://code.google.com/p/my-project-kh ... oxDetector
Binary: attached


Regards
Attachments
PW: infected (but it's clean and no malware) :)
(44.04 KiB) Downloaded 62 times
 #23056  by EP_X0FF
 Fri Jun 06, 2014 1:51 pm
Collection of unstable out-of-date methods (IDT, LDT, STR, TSS) plus some popular abused by malware things (like registry keys) and out-dated fixed bugs (single step).
Code: Select all
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>cd desktop

C:\Documents and Settings\Administrator\Desktop>detect
======== Trust Result========
[*] TestCase1 - Detect VirtualBox - DriverName =  [ NO ]
= DriverName : e
[*] TestCase6 - Detect VirtualBox - RegString  =  [ NO ]
[*] TestCase7 - Detect VirtualBox - NICMacInfo =  [ NO ]
[*] TestCase8 - Detect VirtualBox - RegSMBiosType =  [ NO ]
[*] TestCase9 - Detect VirtualBox - BiosVersionWMI =  [ NO ]
= Now DxDiagInfo : ^_^
DxDiagInfo == innotek GmbH? Guest:Host
= Now DxDiagInfo : ^_^
DxDiagInfo == VirtualBox? Guest:Host
[*] TestCase10 - Detect VirtualBox - DXDiagSysInfo =  [ NO ]
[*] TestCase11 - Detect VirtualBox - setuplog.txt =  [ NO ]


 ======== Normal trust ========
[*] TestCase4 - Detect VirtualBox - RDTSC Diff =  [ YES ]
= RDTSC : 22229
= RDTSC > 512? Guest:Host


========Not trust result========
[*] TestCase2 - Detect VirtualBox - IDTAddress =  [ YES ]
= Now IDTBase : 0x8003f400
= IDTBase > 0x0d000000? Guest:Host
[*] TestCase3 - Detect VirtualBox - LDTAddress =  [ NO ]
= Now LDTBase : 0x00120000
= LDTBase != 0xcccc0000? Guest:Host
[*] TestCase5 - Detect VirtualBox - TSSAddress =  [ YES ]
= Now TSSAddress : 0x00000028
= TSS != 0x00000040 Guest:Host
[*] TestCase12 - Detect VirtualBox - cpuid.1 ecx[31bit] =  [ NO ]
[*] TestCase13 - Detect VirtualBox - cpuid.1 edx[28bit] =  [ NO ]
[*] TestCase14 - Detect VirtualBox - Single step Flags on cpuid tf bit =  [ NO ]

┴╛╖ß╟╧╖┴╕Θ ╛╞╣½┼░│¬...anti vm evasion ┐∞╕« ┴╢ ╚¡└╠╞├!!

C:\Documents and Settings\Administrator\Desktop>
Completely undetected (don't worry about TSS, IDT it shows the same *detect* on my real machine).

There is avaiable other trash collection named parish or something like that.

It doesn't work on x64

http://i.imgur.com/PddmCNi.png

(mac address not randomized)
 #23057  by R136a1
 Fri Jun 06, 2014 2:24 pm
Ok, that would be clarified thereby.

Anyway, are you aware of any malware samples beside TDL4 (or earlier?) which make use of IOCTL requests (particularly IOCTL_STORAGE_QUERY_PROPERTY -> STORAGE_DEVICE_DESCRIPTOR) for VM detection?
 #23058  by EP_X0FF
 Fri Jun 06, 2014 2:43 pm
TDL4 has no vm detection.

Malware using ioctl you mentioned for vm detection is Win32/Cbeplay.
 #23071  by EP_X0FF
 Mon Jun 09, 2014 12:37 pm
Yes this. It is detecting only unmodified virtual machines.

Author is just ripped detection methods he saw in various malware samples. Quite not impressive. He even didn't bothered to look if they are really working.

https://github.com/a0rtega/pafish/blob/ ... ish/vbox.c (will not work without tools and with vm extradata change)
https://github.com/a0rtega/pafish/blob/ ... andboxie.c (will not work with BSA)
https://github.com/a0rtega/pafish/blob/ ... h/vmware.c (will not work without tools and with machine randomization, if vmware support it of course)

etc