Esto se hace a menudo para dificultar el análisis y, por lo tanto, para ocultar su payload malicioso.
Después de mucha investigación e ingeniería inversa, Joe Security LLC (créditos a antnet) ha publicado una serie de detecciones muy interesantes que seguro te interesarán si estás pensando en cocinar tu propia pieza de malware:
"Get VMware version (exceptions expected & handled using this privileged instruction outside a VM): 00409E27 IN EAX,DX ; eax = 'VMXh', ecx = 0A, dx = 'VX' 00409E27 IN EAX,DX ; eax = 'VMXh', ecx = 0A, dx = 'VY' 00409E27 IN EAX,DX ; eax = 'VMXh', ecx = 0A, dx = '@' (0x40) Illegal/unknown instruction (exception handled): 00409EB1 DB 0F 00409EB2 DB 3F 00409EB3 DB 07 00409EB4 DB 0B Get content of descriptors: 00409F22 SLDT WORD PTR SS:[EBP-28C] 00409F29 STR WORD PTR SS:[EBP-290] 00409F30 SGDT FWORD PTR SS:[EBP-44] 00409F34 SIDT FWORD PTR SS:[EBP-3C] Get content of segment registers (exceptions on undefined regs handled). FindFirstFile/FindNextFile on [system directory]\drivers and check names: hgfs.sys vmhgfs.sys prleth.sys prlfs.sys prlmouse.sys prlvideo.sys prl_pv32.sys vpc-s3.sys vmsrvc.sys vmx86.sys vmnet.sys GetModuleHandle. Check if DLL loaded: dbghelp SbieDll api_log dir_watch pstorec GetUserName. Check for: currentuser sandbox honey vmware nepenthes snort andy roo GetComputerName. Check if: "TU-4NH09SMCG1HC" GetModuleFileName (this exe name). Check if: "InsideTm" RegQueryValueEx on "HKLM\HARDWARE\Description\System\\SystemBiosVersion". Check if: "vbox" RegQueryValueEx on "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\\ProductID" and "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\\ProductID". Check ProductID for: 55274-640-2673064-23950 76487-644-3177037-23510 76487-337-8429955-22614 RegEnumKey on "HKLM\SOFTWARE\Microsoft". Check names for: Hyper-V VirtualMachine RegEnumKey on "HKLM\SYSTEM\ControlSet001\Services". Check names for: vmicheartbeat vmicvss vmicshutdown vmicexchange vmci vmdebug vmmouse VMTools VMMEMCTL vmware vmx86 vpcbus vpc-s3 vpcuhub msvmmouf VBoxMouse VBoxGuest VBoxGuest VBoxSF xenevtchn xennet xennet6 xensvc xenvdb RegQueryValueEx on "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\\Identifier". Check Identifier for: vmware vbox RegEnumKey on: "HKLM\HARDWARE\ACPI\DSDT" "HKLM\HARDWARE\ACPI\FADT" "HKLM\HARDWARE\ACPI\RSDT" Check names for: VBOX xen GetProcAddress kernel32.CreateProcessA and check for patch: E9 (jmp). Note that CreateProcessW is not checked. Snapshot of running processes. Check for: vmware vmount2 vmusrvc vmsrvc VBoxService vboxtray xenservice joeboxserver joeboxcontrol wireshark sniff_hit sysAnalyzer filemon procexp procmon regmon autoruns GetAdaptersInfo. Checks MAC address for 0x0569, 0x0C29, 0x1C14 and 0x5056. The all belong to VMWare MAC address prefixes. GetProcAddress. Check if kernel32 or ntdll export the function: "wine_get_unix_file_name". FindFirstFile/FindNextFile on "C:\*.*". Check if any file or directory name is a 60 char hex string (unique to the PC) used for encoding."
Interesante tema, hace tiempo que me preguntaba sobre estas cosas :D , gracias vicente por compartir.
ResponderEliminarUn proyecto relacionado con el tema https://github.com/a0rtega/pafish :)
ResponderEliminarNi te imaginas lo bien que me viene. Excelente la entrada (como siempre).