A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #16428  by gfgqtmakia
 Sun Nov 04, 2012 3:03 pm
As part of my research in the university I am exploring viruses that use anti-forensics tools, and in spesific the anti sniffer tool.

For example, a virus that asks the OS some queries, and if it learns that a sniffer tool is running in the system, it kills itself (so it won't get detected sending out information). Otherwise it continues to do malicious things.

I've searched the web, but found no virus that was documented using anti sniffer tools.

I'd like your help finding such virus. Just a name would be sufficed.

Thanks,
gfgqtmakia.
 #16429  by Buster_BSA
 Sun Nov 04, 2012 3:35 pm
Cuckoo Sandbox has an signature to detect anti sniffer and its like this:
Code: Select all
import re

from lib.cuckoo.common.abstracts import Signature

class InstallsWinpcap(Signature):
    name = "sniffer_winpcap"
    description = "Installs WinPCAP"
    severity = 3
    categories = ["sniffer"]
    authors = ["Thomas Birn"]
    minimum = "0.4.2"

    def run(self, results):
        indicators = [
            ".*\\\\packet.dll",
            ".*\\\\npf.sys",
            ".*\\\\wpcap.dll"
        ]

        regexps = [re.compile(indicator) for indicator in indicators]
        
        for file_name in results["behavior"]["summary"]["files"]:
            for regexp in regexps:
                if regexp.match(file_name):
                    self.data.append({"file_name" : file_name})
                    return True

        return False
 #16430  by EP_X0FF
 Sun Nov 04, 2012 3:43 pm
gfgqtmakia wrote:For example, a virus that asks the OS some queries, and if it learns that a sniffer tool is running in the system, it kills itself (so it won't get detected sending out information). Otherwise it continues to do malicious things.
http://www.kernelmode.info/forum/viewto ... 8976#p8976
 #16500  by gfgqtmakia
 Thu Nov 08, 2012 4:12 pm
Hi.

Does anyone know a virus that uses a technique that works in vmware but doesn't work in vbox?
For example:
Code: Select all
mov EAX, 564D5868h ; VMXh
xor EBX, EBX  ; set EBX to anything but 0x564D5868 (in this case 0)
mov CX, 0Ah   ; Backdoor command. 10: Get VMware version
mov DX, 5658h  ; VX
in EAX, DX  ; Read from port VX into EAX
cmp EBX, 564D5868h ; EBX should have the magic number VX is VMware is present. If not, EBX=0
(source: http://vrt-blog.snort.org/2009/10/how-d ... rence.html)

I'd like to present my proffesor with a live case of a virus acting differently in different environments.

Thank you again. :)