A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #26834  by x4ng3l
 Tue Sep 29, 2015 1:53 am
I Have a Problem.
my "malware" still detecting it a VM

I unistalled previos version of Oracle, I removed all the files left over, and cleaned register, With Revo Unistaller and CClenar
I rebooted the PC
I Installed a new versionof VirtualBox (5.0.2 r102096) (removed networking)
I rebooted the pc
I rebooted the pc with no driver signature needed by windows (F8 and select option)
I installed the driver (install.cmd) (runing a admin)
I created VMS exactly as the instructions in topic (Like No 3D, NAT, IDE, etc etc)
I installed some versions of Windows (Windows764, Windows732, WindowsXP32)
I closeVirtualBox
I changed all string in "hidevm_ide.cmd" to random value, respecting standards.
I runed with admin rights, "respecting standards" everthing is OK, seting up different options for each machine
I opened VirtualBox as admin
I Runned All my VMS, ony by one
I Changed HD serial with Microsoft VolumeID
I Rebooted all VM's
I Removed CD-Room Drivers for All
I Can See changes working perfectly in msinfo32 in all machines...

but...

The program I'm analyzing, even after all, continues to behave differently in all tested VMS.

He knows that in a VM.

What to do now?

Thanks
 #26846  by x4ng3l
 Tue Sep 29, 2015 8:34 pm
It's not malware, but it's worse than that. It is a cancer.
Not only that since Brazil is a country full of abuses, we have to deal with the incompetence of banks as well.
Banking institutions in Brazil, REQUIRE, the user to install a plugin, which was supposed to be to protect the user, but
that in practice, brings more problems than protection.
When you do a search on google for "GBPlugin" or "G-Buster" it is possible to find thousands of users complaints.

The Plugin is abusive, and when it is installed:
* Do not allow Stopped or paused
* Do not allow to be uninstalled in any way, there is no option for unistall.
* Installs processes and drivers in the system that compromise the performance and privacy
* Starts hundreds of threads that are active and do checks on full time, every millisecond.
* Cause unacceptable problems in the development environment.
* Write in the registry every millisecond, not only to access the site of the bank, but full time.

The worst is that there is an option to use or not the plugin, even if you are an experienced user who knows WHAT doing,
without the plugin is impossible to access your account, a great speech about it.

Imagine how much energy it consumes, adding millions of users who are required to use this waste.

The only solution for many developers, is to buy a new computer and use a machine just to use the bank site
An unprecedented absurdity.

When trying to use a virtual machine to install the plug-in and access the account, the plug-in does not allow access when trying to log into the account of a
VM, it identifies who is a VM, and blocks access to account.

Link to download Plug-In:
Code: Select all
https://guardiao.itau.com.br/hda/DiagnosticoItau.exe
To test, you can acess in internet explorer
Code: Select all
https://www.itau.com.br/
You can use this account for test: (its a authorezed account for tests)
Code: Select all
http://prntscr.com/8ly32n
If you see differente results trying to log-in in VM and in Normal PC, The plug-in stoped you!
 #26851  by EP_X0FF
 Wed Sep 30, 2015 6:15 am
@x4ng3l

How the screen should be looking on successful login?

So far I see this:

Image

and this

Image

Yep I know about G-Buster, it caused incompatibility problems with Windows update few years ago because of rootkit they use. So far I see three drivers (ps/thread monitor dll injector, ndis monitor and sort of main drv) and some hooking.
 #26865  by x4ng3l
 Fri Oct 02, 2015 1:09 am
EP_X0FF wrote:@x4ng3l

How the screen should be looking on successful login?
Image
This message means that your computer is on the Black List.
If this mesage appears, it is because the computer is in the BlackList.
It appears for all VMS.

It's a fake Feedback, but only for informational character, it means:
"Unavailable access to this account. If you have questions call the SOS internet"
Rememver, If you see this menssagem, your computer (VM) is Blocked.

Image
Translation Feedback is this:
"We identified a flaw in its access. Wait a few minutes and try again."
I do not know which handles uses plug-in to identify a computer, but I know it changes the HTTP requests sent to the server, and passes these encrypted data.
Feedback This probably means that there is some inconsistency in the transmitted data.

Access was not allowed in either case.

When you manage to correctly access, you will see a very similar screen to this.
Image
 #26877  by x4ng3l
 Sat Oct 03, 2015 4:16 pm
EP_X0FF wrote:Does it use geo-blocking?
not that I know.
It would make sense a person can not access your account if you were traveling.
anyway, I tested it with American proxies, and managed access in a normal machine.
However, in a VM, regardless of place, or IP, does not access.