A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #16085  by EP_X0FF
 Wed Oct 17, 2012 4:23 pm
kmd wrote::( still not luck for me... any tips?
You either did not configured your machine or missed something. 0x16/7ton revealed all, so he stole most of my spoilers :D To be able to work with this rootkit setup new virtual machine. I think Virtual Box is OK, since its light, free and has configurable DMI settings (while VPC not, unsure about VmWare). Install Windows and do not install any kind of VM tools. Or wipe them if they are installed. This is important part of any malware research - never use any kind of VM tools. Next configure DMI information to fool rootkit antivm checking. For vbox:

VBoxManage setextradata "My VM" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Gigabyte" (any vendor but not Microsoft/Virtual Box etc)
VBoxManage setextradata "My VM" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "SAMSUNG" (any vendor not in blacklist)
VBoxManage setextradata "My VM" VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily "Anything"
VBoxManage setextradata "My VM" VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor "Anything"

where "My VM" - name of your vm.

put dropper in temp, rename it in UAC.exe and start with admin rights. Wait few sec - check presence of UAC.exe in memory -> it will stay idle hanging on Sleep(30 minutes). Rise any hex editor and check MBR. Rootkit should add new partition and mark it as "Active". Reboot machine, after successful reboot rootkit will be loaded and you can find it with usual tools. I will attach log from 5.x rku when I get back from work :)
 #16088  by kmd
 Wed Oct 17, 2012 5:37 pm
EP_X0FF wrote:For vbox:

VBoxManage setextradata "My VM" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Gigabyte" (any vendor but not Microsoft/Virtual Box etc)
VBoxManage setextradata "My VM" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "SAMSUNG" (any vendor not in blacklist)
VBoxManage setextradata "My VM" VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily "Anything"
VBoxManage setextradata "My VM" VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor "Anything"
that did the trik lol
how simple and stupid same time :roll:
 #16100  by kmd
 Thu Oct 18, 2012 10:24 am
EP_X0FF wrote:
kmd wrote:VBoxManage setextradata "My VM" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Gigabyte" (any vendor but not Microsoft/Virtual Box etc)
VBoxManage setextradata "My VM" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "SAMSUNG" (any vendor not in blacklist)
VBoxManage setextradata "My VM" VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily "Anything"
VBoxManage setextradata "My VM" VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor "Anything"
is it enough for anything? im gonna now use vbox as primary vm.
 #16102  by EP_X0FF
 Thu Oct 18, 2012 12:01 pm
kmd wrote:is it enough for anything? im gonna now use vbox as primary vm.
Physical machine always better. However you can setup VM that will be protected from 99.9% of antivm tricks seen in ITW malware up to date. I'm not using VirtualBox as primary VM but I have it customized too. Few simple steps to configure VirtualBox.

1. Create new VM, install Windows. Do not install VM Tools/Additions <- this is important because even uninstalled they leave traces in registry and *.inf files on disk.
2. Configure VM DMI, see previous post, important options usually checked by malware:

Disk serial number, harddisk model number, BIOS related info, system vendor, motherboard vendor, chassis vendor. Settings to configure (assuming you use AHCI controller):
VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber
VBoxInternal/Devices/ahci/0/Config/Port0/SerialNumber
VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate
VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor
VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion
VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily
VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct
VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor
VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor
VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct
VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor
Put your own info in these fields, for example copy from your real machine (see msinfo32).

3. Replace Virtual Box environment dlls with attached. Note: they are for x64 VirtualBox v4.2.0.80737 and may not work with later/previous versions. Originally these dlls contains a lot of hardcoded data related to virtual machine devices, Video BIOS ID, ACPI table etc. This can be used to determine if we are running inside virtual machine or not, because Windows inside virtual machine uses this data and WMI of course takes this info into account. For example of such info see HKLM\HARDWARE\DESCRIPTION\System or Device Manager / MsInfo32 / DxDiag.

Dlls are patched to get rid of most important markers (including patched Video BIOS data). Since they are patched their digital signature become invalid. Do not worry, no viruses inside. Create backup copy of dlls for sure.

4. Create full VM copy with VM settings.

Now you can do whatever you want - install malware after then install tools/debuggers etc.
Attachments
pass: vbox
(938.24 KiB) Downloaded 167 times
 #16192  by EP_X0FF
 Sun Oct 21, 2012 3:19 pm
As requested, for x64 v4.2.2.281494. For more info refer to previous posts.
Attachments
pass: vbox
(910.04 KiB) Downloaded 100 times
 #16198  by thisisu
 Mon Oct 22, 2012 12:12 am
Thank you for this thread.

I've been trying to do this without success. I'm not 100% sure but I think the hard disk is set up as IDE, not AHCI. How can I change this without being able to go into a BIOs environment?
Some more examples would be appreciated.
 #16200  by EP_X0FF
 Mon Oct 22, 2012 2:55 am
thisisu wrote:Thank you for this thread.

I've been trying to do this without success. I'm not 100% sure but I think the hard disk is set up as IDE, not AHCI. How can I change this without being able to go into a BIOs environment?
Some more examples would be appreciated.
What exactly you tried? You can add new HDD controller from Machine Settings -> Storage -> Add Controller -> Add SATA Controller. However likely you can't attach already installed Windows from old IDE type controller to new SATA (it will BSOD on boot). All hardware machine specific settings (controller types, CPU features etc) need to be set before installing Windows.

If you plan to use IDE controller instead of SATA then try this
VBoxManage setextradata "My VM" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" FLOPPY2k12"
VBoxManage setextradata "My VM" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber" "F45454H"
VBoxManage setextradata "My VM" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "FFFCCE24"
put some real values. VBox treats all of them as strings, so they must contain at least one symbol, not only digits.
Notice PrimaryMaster -> if HDD set as Secondary -> change this string part.
test.png
test.png (15.09 KiB) Viewed 2119 times
VBox itself treats PIIX4 controller as a simple another name of PIIX3
[/Devices/piix3ide/0/Config/] (level 4)
Type <string> = "PIIX4" (cb=6)
For ICH6 I'm unsure about real name, could be also pseudonym of PIIX3 -> check vm boot log for all device names -> right click on VM -> Show Log.

Use all of this with VBox Additions uninstalled. And better never install them before "infection" if you plan to use VBox as test vm for experiments with malware. How to copy all required tools, samples etc without VBox tools? Make another HDD, copy everything to it from another VM and use it as secondary HDD on target VM.
 #16204  by kmd
 Mon Oct 22, 2012 6:27 am
thx for update. is it enough strong for malware detection bypass?
 #16207  by EP_X0FF
 Mon Oct 22, 2012 6:41 am
kmd wrote:thx for update. is it enough strong for malware detection bypass?
Depends on malware. For a completely lame stuff like this Alureon dropper or Citadel/Ransoms - Yes. But even this patched dlls still contains some markers - for example VirtualBox backdoor device (hard to fix due to multiple usage, check VBoxDD if you want hide it yourself).

Personally I know few simple ways to detect all popular virtual machines (this was checked on VBox/VPC for example, should work on VMWare too) not depending on any kind of "strings". One perfectly works from user mode and second works from kernel mode. However I never saw anything like this in real malware. Must be they don't know about it :D

Also some malware may need several circumstances to run. For example old Pragma TDSS droppers were checking system location (by system locale) and if they running in exUSSR zone - they quits. But its not antivm.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7