A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #16208  by nex
 Mon Oct 22, 2012 7:41 am
You might want to give a look at:
http://pastebin.com/RU6A2UuB
https://github.com/cuckoobox/community/ ... ntifier.py
https://github.com/cuckoobox/community/ ... ct_acpi.py

The last two are signatures to detect those tricks, but you can find the indicators to modify.

Attached is a sample that employs lot of anti-vm tricks, you might want to use it as a test run. It's a DirtJumper.
Attachments
(149.56 KiB) Downloaded 114 times
 #17020  by Ormu
 Tue Dec 04, 2012 4:57 pm
EP_X0FF wrote:
kmd wrote::( still not luck for me... any tips?
You either did not configured your machine or missed something. 0x16/7ton revealed all, so he stole most of my spoilers :D To be able to work with this rootkit setup new virtual machine. I think Virtual Box is OK, since its light, free and has configurable DMI settings (while VPC not, unsure about VmWare). Install Windows and do not install any kind of VM tools. Or wipe them if they are installed. This is important part of any malware research - never use any kind of VM tools. Next configure DMI information to fool rootkit antivm checking. For vbox:

VBoxManage setextradata "My VM" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Gigabyte" (any vendor but not Microsoft/Virtual Box etc)
VBoxManage setextradata "My VM" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "SAMSUNG" (any vendor not in blacklist)
VBoxManage setextradata "My VM" VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily "Anything"
VBoxManage setextradata "My VM" VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor "Anything"

...
Considering how much VBox is used in malware research couldn't they add a GUI configuration panel for these options? Not that using vboxmanage is hard, but...
 #17568  by Cassiel
 Thu Jan 03, 2013 2:24 pm
I followed all the steps you asked with one exception. Considering I am using a debian as host I cannot replace the dll files. Are there also patched versions for Debian/Linux?
 #17570  by EP_X0FF
 Thu Jan 03, 2013 5:22 pm
Cassiel wrote:Are there also patched versions for Debian/Linux?
No, you have to do this yourself. Have no idea how this will be looking for Linux.
 #17715  by Cassiel
 Tue Jan 15, 2013 3:29 pm
I have tried to do this with Virtualbox on Debian but Dirt Jumper refused to run, so far i haven't found any alternative for the DLL's.
Currently I am using Qemu/KVM which allowed me to run Dirt Jumper fairly easy after configuring it a bit.
For those who use a Linux distro and have issues with Virtualbox detection I advice that you go Qemu/KVM.
 #18011  by EP_X0FF
 Sun Feb 03, 2013 2:47 pm
Patched dlls for Win64 VirtualBox-4.2.6-82870. Backup original Vbox files and replace with attached. Due to patch digital signature is broken, however it is not important and do not affect Vbox work.
Attachments
no pass, 4.2.6-82870 only
(1.48 MiB) Downloaded 70 times
 #18250  by EP_X0FF
 Mon Feb 18, 2013 4:41 pm
MAXS wrote:Someone has patches for x86 version of VBox...
fc to find difference with original files and hexeditor to do the same for 32 bit dlls.

No plans for patching x86 dlls as we don't use 32 bit VBox.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7