[R136a1]

Hi,

catched this tool while searching for some interesting malware samples. Seems to be a collection from existing detection techniques for VirtualBox. Please correct me if I'm wrong.

Presentation: http://prezi.com/ade84h1xwnzl/antivirtu ... neevasion/ (Korean)
Source: https://code.google.com/p/my-project-kh ... oxDetector
Binary: attached


Regards

[EP_X0FF]

Collection of unstable out-of-date methods (IDT, LDT, STR, TSS) plus some popular abused by malware things (like registry keys) and out-dated fixed bugs (single step).

Code: Select all

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>cd desktop

C:\Documents and Settings\Administrator\Desktop>detect
======== Trust Result========
[*] TestCase1 - Detect VirtualBox - DriverName =  [ NO ]
= DriverName : e
[*] TestCase6 - Detect VirtualBox - RegString  =  [ NO ]
[*] TestCase7 - Detect VirtualBox - NICMacInfo =  [ NO ]
[*] TestCase8 - Detect VirtualBox - RegSMBiosType =  [ NO ]
[*] TestCase9 - Detect VirtualBox - BiosVersionWMI =  [ NO ]
= Now DxDiagInfo : ^_^
DxDiagInfo == innotek GmbH? Guest:Host
= Now DxDiagInfo : ^_^
DxDiagInfo == VirtualBox? Guest:Host
[*] TestCase10 - Detect VirtualBox - DXDiagSysInfo =  [ NO ]
[*] TestCase11 - Detect VirtualBox - setuplog.txt =  [ NO ]


 ======== Normal trust ========
[*] TestCase4 - Detect VirtualBox - RDTSC Diff =  [ YES ]
= RDTSC : 22229
= RDTSC > 512? Guest:Host


========Not trust result========
[*] TestCase2 - Detect VirtualBox - IDTAddress =  [ YES ]
= Now IDTBase : 0x8003f400
= IDTBase > 0x0d000000? Guest:Host
[*] TestCase3 - Detect VirtualBox - LDTAddress =  [ NO ]
= Now LDTBase : 0x00120000
= LDTBase != 0xcccc0000? Guest:Host
[*] TestCase5 - Detect VirtualBox - TSSAddress =  [ YES ]
= Now TSSAddress : 0x00000028
= TSS != 0x00000040 Guest:Host
[*] TestCase12 - Detect VirtualBox - cpuid.1 ecx[31bit] =  [ NO ]
[*] TestCase13 - Detect VirtualBox - cpuid.1 edx[28bit] =  [ NO ]
[*] TestCase14 - Detect VirtualBox - Single step Flags on cpuid tf bit =  [ NO ]

┴╛╖ß╟╧╖┴╕Θ ╛╞╣½┼░│¬...anti vm evasion ┐∞╕« ┴╢ ╚¡└╠╞├!!

C:\Documents and Settings\Administrator\Desktop>

Completely undetected (don't worry about TSS, IDT it shows the same *detect* on my real machine).

There is avaiable other trash collection named parish or something like that.

It doesn't work on x64

http://i.imgur.com/PddmCNi.png

(mac address not randomized)

[R136a1]

Ok, that would be clarified thereby.

Anyway, are you aware of any malware samples beside TDL4 (or earlier?) which make use of IOCTL requests (particularly IOCTL_STORAGE_QUERY_PROPERTY -> STORAGE_DEVICE_DESCRIPTOR) for VM detection?

[EP_X0FF]

TDL4 has no vm detection.

Malware using ioctl you mentioned for vm detection is Win32/Cbeplay.

[void]

@EP_X0FF

You mean this "parish", https://github.com/a0rtega/pafish ? Its detecting every public VM engine, well atleast it trys to.

PS I have corrected Nova, I can die happy now.

[EP_X0FF]

Yes this. It is detecting only unmodified virtual machines.

Author is just ripped detection methods he saw in various malware samples. Quite not impressive. He even didn't bothered to look if they are really working.

https://github.com/a0rtega/pafish/blob/ ... ish/vbox.c (will not work without tools and with vm extradata change)
https://github.com/a0rtega/pafish/blob/ ... andboxie.c (will not work with BSA)
https://github.com/a0rtega/pafish/blob/ ... h/vmware.c (will not work without tools and with machine randomization, if vmware support it of course)

etc