PRACTICAL MALWARE ANALYSIS: ANTI VM (LAB 17-01)

Tools Used

  1. IDA Pro

Sample:

  1. Lab17-01.exe SHA256: 14c0c9bef6830d139c36c1cea8f0ef1010e49373aad52c55f167e677ce4c6bd5

VirusTotal:

  • Detection Rate: 19/56
  • Analyzed on 2016-03-19
  • Compilation Date: 2011-10-23 03:37:19
  • View report here

Lab 17-1
Analyze the malware found in Lab17-01.exe inside VMware. This is the same
malware as Lab07-01.exe, with added anti-VMware techniques.
NOTE The anti-VM techniques found in this lab may not work in your environment.
Questions
1. What anti-VM techniques does this malware use?

The malware uses vulnerable instruction: sidt,sldt and str

sidt
Figure 1. sidt instruction

The malware issues the sidt instruction as shown above, which stores the contents
of IDTR into the memory location pointed to by var_428. The IDTR is 6 bytes,
and the fifth byte offset contains the start of the base memory address. That
fifth byte is compared to 0xFF, the VMware signature. We can see that var_428+2 is set to var_420. Later on in the opcodes we can observe that var_420 is shifted right by 3 bytes thus pointing it to the 5th byte.

2. If you have the commercial version of IDA Pro, run the IDA Python
script from Listing 17-4 in Chapter 17 (provided here as findAntiVM.py).
What does it find?

antivm
Figure 2. 3 Anti-VM instructions found
  1. 00401121 – sldt
  2. 004011b5 – sidt
  3. 00401204 – str

3. What happens when each anti-VM technique succeeds?

  1. 00401121 – sldt; service created but thread to openurl is not created the program terminates.
  2. 004011b5 – sidt; sub routine 0x401000 will be invoked, the program will be deleted
  3. 00401204 – str; sub routine 0x401000 will be invoked, the program will be deleted

4. Which of these anti-VM techniques work against your virtual machine?

None…

5. Why does each anti-VM technique work or fail?

It depends on the hardware and the vmware used.

6. How could you disable these anti-VM techniques and get the malware
to run?

  1. nop the instruction
  2. patch the jmp instruction
Advertisements
PRACTICAL MALWARE ANALYSIS: ANTI VM (LAB 17-01)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s