VirtualBox Anti-AntiVM - Page 2

Topic locked

Re: VirtualBox Anti-AntiVM

#16208 by nex
Mon Oct 22, 2012 7:41 am

You might want to give a look at:
http://pastebin.com/RU6A2UuB
https://github.com/cuckoobox/community/ ... ntifier.py
https://github.com/cuckoobox/community/ ... ct_acpi.py

The last two are signatures to detect those tricks, but you can find the indicators to modify.

Attached is a sample that employs lot of anti-vm tricks, you might want to use it as a test run. It's a DirtJumper.

Attachments

vm_tricks_sample.zip

(149.56 KiB) Downloaded 114 times

Username

nex

Posts

14

Joined

Fri Aug 06, 2010 8:09 am

Contact

Re: VirtualBox Anti-AntiVM

#17001 by kareldjag/michk
Mon Dec 03, 2012 9:06 pm

Also interesting Pafish demo which checks for several VM
https://github.com/a0rtega/pafish

rgds

Security? Yeah But Well: http://www.ouaismaisbon.ch/ )

Username

kareldjag/michk

Posts

91

Joined

Sun Jul 04, 2010 6:57 pm

Location

FRANCE

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

#17020 by Ormu
Tue Dec 04, 2012 4:57 pm

EP_X0FF wrote:
kmd wrote::( still not luck for me... any tips?
You either did not configured your machine or missed something. 0x16/7ton revealed all, so he stole most of my spoilers :D To be able to work with this rootkit setup new virtual machine. I think Virtual Box is OK, since its light, free and has configurable DMI settings (while VPC not, unsure about VmWare). Install Windows and do not install any kind of VM tools. Or wipe them if they are installed. This is important part of any malware research - never use any kind of VM tools. Next configure DMI information to fool rootkit antivm checking. For vbox:

VBoxManage setextradata "My VM" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Gigabyte" (any vendor but not Microsoft/Virtual Box etc)
VBoxManage setextradata "My VM" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "SAMSUNG" (any vendor not in blacklist)
VBoxManage setextradata "My VM" VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily "Anything"
VBoxManage setextradata "My VM" VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor "Anything"

...

Considering how much VBox is used in malware research couldn't they add a GUI configuration panel for these options? Not that using vboxmanage is hard, but...

Username

Ormu

Posts

8

Joined

Sat Oct 15, 2011 5:01 pm

Re: VirtualBox Anti-AntiVM

#17568 by Cassiel
Thu Jan 03, 2013 2:24 pm

I followed all the steps you asked with one exception. Considering I am using a debian as host I cannot replace the dll files. Are there also patched versions for Debian/Linux?

Username

Cassiel

Posts

13

Joined

Mon Dec 17, 2012 12:03 pm

Re: VirtualBox Anti-AntiVM

#17570 by EP_X0FF
Thu Jan 03, 2013 5:22 pm

Cassiel wrote:Are there also patched versions for Debian/Linux?

No, you have to do this yourself. Have no idea how this will be looking for Linux.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: VirtualBox Anti-AntiVM

#17715 by Cassiel
Tue Jan 15, 2013 3:29 pm

I have tried to do this with Virtualbox on Debian but Dirt Jumper refused to run, so far i haven't found any alternative for the DLL's.
Currently I am using Qemu/KVM which allowed me to run Dirt Jumper fairly easy after configuring it a bit.
For those who use a Linux distro and have issues with Virtualbox detection I advice that you go Qemu/KVM.

Username

Cassiel

Posts

13

Joined

Mon Dec 17, 2012 12:03 pm

Re: VirtualBox Anti-AntiVM

#18011 by EP_X0FF
Sun Feb 03, 2013 2:47 pm

Patched dlls for Win64 VirtualBox-4.2.6-82870. Backup original Vbox files and replace with attached. Due to patch digital signature is broken, however it is not important and do not affect Vbox work.