You are browsing the archive for 2012 November.

Hiding env./tools from malware a.k.a. fight fire with fire (but only inside VM)

November 25, 2012 in Malware Analysis

Seasoned malware analysts/reversers/crackers move along – you already know this stuff :-)

Analyzing malware is always challenging as there are a few dozen if not hundreds different ways to detect the virtual environment plus other tools used by reversers during dynamic or in-depth analysis – most of these can be easily picked up by malware looking for process names, registry keys, or using one of the undocumented, or semi-documented bugs/features of VMs (usually snippets of code producing different results when executed on a real CPU vs. on a virtual CPU).

This short post describes a few ways how to hide VM (main focus on VMWare) and tools – by hiding their files, processes, services + associated with them registry keys/values.

Changing VM settings

It has has been described quite well here.

Hiding Processes only

If you need to hide the process only, you can use HideToolz available for a download from Fyyre’s web site.

When the HideToolz is active, the processes marked for hiding are not visible in a Task Manager and can’t be found by normal process enumeration functions.

This is what HideToolz sees (processes marked with an asterisk are hidden)

 

And this is what Task Manager can see (Process Explorer as well)

Hiding Files, Folders, Processes, Services, Registry entries

When it comes to hiding more stuff, one can use help from the good ol’ Hacker Defender rootkit by HolyFather.

The rootkit uses a configuration file that allows to specify what we want hidden in the environment and that includes:

  • files/folders
  • processes
  • services and their associated registry entries
  • registry keys/names/values

To set up the Hacker Defender one needs to  edit/change the default configuration file into sth along these lines:

[Hidden Table]
hxd*
vmu*
vmt*
vmw*
tools*
procexp*
ollydbg*

[Root Processes]
hxd*
vmu*
vmt*
vmw*
tools*
procexp*
ollydbg*

[Hidden Services]
HackerDefender100
vmu*
vmt*
vmw*
procexp*

[Hidden RegKeys]
VMware, Inc.
Sysinternals

[Hidden RegValues]
vmu*
vmt*
vmw*

[Startup Run]

[Free Space]

[Hidden Ports]

[Settings]
Password=infected
BackdoorShell=cmd.exe
FileMappingName=_.-=[Hacker Defender]=-._
ServiceName=HackerDefender100
ServiceDisplayName=HXD Service 100
ServiceDescription=NT rootkit
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys

[Comments]

The new configuration file can be now loaded:

hxdef100.exe hide.ini

And from now on browsing the folders, files, registry keys, names, values and processes, services lists will be available only to processes listed in  ‘root processes’ section.

Example: what Regedit sees before installing the rootkit:

and after its installation

What Task Manager sees before

and after rootkit installation

 

Obviously, the configuration I provided above is far from being perfect. The VM-specific strings are all over the place inside the registry, so we need to do a bit more of a home work. It is also more than likely that your environment uses different paths and tools.

It would be ideal if VM product developers allowed to completely hide the tools and the environment from the guest OS by e.g. using simple randomization of names, windows titles, processes’ names etc. -  a simple technique used for years by many antirootkit tools e.g. XUETR and GMER.

Top 100+ malicious types of 32-bit PE files

November 19, 2012 in Batch Analysis, Malware Analysis

Another round of stats – this time the top 100+ most ‘popular’ PE i386 file formats used by malware from over 1.2M samples.

Legend:

  • MZ PE i386 = PE 32 bit
  • DLL = DLL :)
  • Corrupted or Tricky = for some reason parser failed (usually some PE file tricks)
  • APPDATA xxxxxxxx = appended data followed by first 1-4 characters
  • SIG = contains directory entry pointing to signature (often it’s a random garbage though, not stolen certificates)
  • DEB = contains debugging information
  • COM = COM library
  • .NET = .NET PE
  • and lots of names related to various installers
 (44.17%)    560067    MZ PE i386
  (6.59%)     83554    MZ PE i386 DLL
  (6.16%)     78149    MZ PE i386 Corrupted Tricky
  (4.84%)     61379    MZ PE i386 DEB
  (3.51%)     44529    MZ PE i386 APPDATA 00000000
  (2.99%)     37871    MZ PE i386 SIG
  (2.81%)     35644    MZ PE i386 Tricky
  (2.01%)     25462    MZ PE i386 DLL COM
  (1.30%)     16478    MZ PE i386 NullSoft 2.46-1 SIG
  (1.28%)     16253    MZ PE i386 DLL DEB
  (1.28%)     16220    MZ PE i386 .NET
  (1.04%)     13128    MZ PE i386 SYS
  (0.98%)     12459    MZ PE i386 Tricky SIG
  (0.92%)     11614    MZ PE i386 NullSoft Unknown
  (0.82%)     10393    MZ PE i386 InnoSetup
  (0.78%)      9831    MZ PE i386  AutoIt or AutoHotKey
  (0.77%)      9709    MZ PE i386 Corrupted Tricky DEB
  (0.65%)      8273    MZ PE i386 .NET APPDATA 00000000
  (0.65%)      8217    MZ PE i386 DEB SIG
  (0.64%)      8166    MZ PE i386 NullSoft 2.46
  (0.61%)      7757    MZ PE i386 DLL APPDATA 00000000
  (0.54%)      6881    MZ PE i386 .NET DEB
  (0.48%)      6131    MZ PE i386 Zip Sfx
  (0.48%)      6054    MZ PE i386 Tricky DEB
  (0.47%)      5938    MZ PE i386 Rar SFX
  (0.46%)      5891    MZ PE i386 NullSoft 2.45
  (0.46%)      5836    MZ PE i386 APPDATA B80E0000
  (0.44%)      5631    MZ PE i386 DLL Corrupted Tricky
  (0.42%)      5318    MZ PE i386 Appended MZ
  (0.42%)      5312    MZ PE i386 APPDATA 01000000
  (0.42%)      5279    MZ PE i386 InstallAware
  (0.41%)      5232    MZ PE i386 Tricky DEB SIG
  (0.40%)      5074    MZ PE i386 NullSoft 2.27
  (0.37%)      4733    MZ PE i386 Trymedia
  (0.36%)      4549    MZ PE i386 APPDATA 00000000 DEB
  (0.36%)      4546    MZ PE i386 APPDATA 3C706172
  (0.34%)      4336    MZ PE i386 SYS DEB
  (0.33%)      4161    MZ PE i386 APPDATA A5B79A82
  (0.29%)      3690    MZ PE i386 NullSoft 2.46 SIG
  (0.23%)      2973    MZ PE i386 Trymedia SIG
  (0.23%)      2925    MZ PE i386 APPDATA 88110000
  (0.23%)      2918    MZ PE i386 .file
  (0.22%)      2799    MZ PE i386 Rar SFX DEB
  (0.22%)      2728    MZ PE i386 APPDATA B00E0000
  (0.19%)      2440    MZ PE i386 .NET Tricky
  (0.19%)      2422    MZ PE i386 DLL Tricky
  (0.19%)      2405    MZ PE i386 APPDATA 31353835
  (0.18%)      2255    MZ PE i386 DLL COM APPDATA 00000000
  (0.18%)      2234    MZ PE i386 APPDATA 56566245
  (0.17%)      2206    MZ PE i386 NullSoft 2.46-5 SIG
  (0.16%)      2078    MZ PE i386 APPDATA 08080000
  (0.16%)      2036    MZ PE i386 DLL COM DEB
  (0.16%)      1990    MZ PE i386 .NET DLL DEB
  (0.14%)      1750    MZ PE i386 APPDATA 001F0023
  (0.14%)      1750    MZ PE i386 APPDATA 5B424547 SIG
  (0.13%)      1706    MZ PE i386 DLL SIG
  (0.13%)      1678    MZ PE i386 NullSoft 2.24
  (0.13%)      1633    MZ PE i386 NullSoft 2.44
  (0.13%)      1597    MZ PE i386 DLL APPDATA 928F8C89
  (0.13%)      1585    MZ PE i386 Wise
  (0.12%)      1582    MZ PE i386 DEB
  (0.12%)      1576    MZ PE i386 DLL APPDATA 861DC8F1
  (0.12%)      1545    MZ PE i386 APPDATA 73676567
  (0.12%)      1537    MZ PE i386 APPDATA 50415443
  (0.12%)      1517    MZ PE i386 APPDATA 5A425245
  (0.11%)      1458    MZ PE i386 APPDATA 60170000 DEB
  (0.11%)      1417    MZ PE i386 DLL Corrupted Tricky DEB
  (0.11%)      1374    MZ PE i386 APPDATA 68480000
  (0.11%)      1367    MZ PE i386 NullSoft 25-Apr-2011.cvs
  (0.11%)      1359    MZ PE i386 APPDATA 3C62696E
  (0.10%)      1288    MZ PE i386 APPDATA 88190000
  (0.10%)      1272    MZ PE i386 APPDATA 980E0000
  (0.10%)      1219    MZ PE i386 APPDATA 6BD6EB2C
  (0.10%)      1213    MZ PE i386 InnoSetup SIG
  (0.09%)      1176    MZ PE i386 InstallShield DEB
  (0.09%)      1174    MZ PE i386 APPDATA 680C0000
  (0.09%)      1159    MZ PE i386 CAB SFX (shifted)
  (0.09%)      1137    MZ PE i386 SYS DLL DEB
  (0.09%)      1122    MZ PE i386 APPDATA 90909090
  (0.09%)      1102    MZ PE i386 APPDATA 00A80000 DEB
  (0.09%)      1091    MZ PE i386 APPDATA 05000000
  (0.09%)      1087    MZ PE i386 .NET DLL
  (0.09%)      1082    MZ PE i386 APPDATA 22A72792
  (0.08%)      1048    MZ PE i386 .NET Corrupted Tricky
  (0.08%)      1043    MZ PE i386 APPDATA C26402DF
  (0.08%)       990    MZ PE i386 Rar SFX (shifted) DEB
  (0.07%)       947    MZ PE i386 APPDATA 3C232440
  (0.07%)       903    MZ PE i386 DLL COM Appended MZ
  (0.07%)       896    MZ PE i386 NullSoft 2.14
  (0.07%)       892    MZ PE i386 Rar SFX (shifted)
  (0.07%)       885    MZ PE i386 APPDATA 0D0A0D0A
  (0.07%)       880    MZ PE i386 SYS DLL
  (0.07%)       877    MZ PE i386 NullSoft 01-Jun-2011.cvs SIG
  (0.07%)       874    MZ PE i386 SmartInstallMaker v.5.02
  (0.06%)       808    MZ PE i386 DLL COM SIG
  (0.06%)       807    MZ PE i386 NullSoft 2.37
  (0.06%)       802    MZ PE i386 ADAEBOOK
  (0.06%)       789    MZ PE i386 APPDATA 78766D00
  (0.06%)       764    MZ PE i386 DLL COM
  (0.06%)       737    MZ PE i386 Install Creator
  (0.06%)       719    MZ PE i386 APPDATA 2A2A2A2A
  (0.06%)       715    MZ PE i386 WebCompiler
  (0.06%)       707    MZ PE i386 APPDATA 00
  (0.05%)       693    MZ PE i386 APPDATA 08001700
  (0.05%)       669    MZ PE i386 APPDATA 00000000 SIG
  (0.05%)       665    MZ PE i386 NullSoft 2.24 SIG
  (0.05%)       656    MZ PE i386 APPDATA 31353836
  (0.05%)       651    MZ PE i386 DLL APPDATA 45474645 DEB
  (0.05%)       628    MZ PE i386 DLL DEB SIG
  (0.05%)       622    MZ PE i386 APPDATA 43434343
  (0.05%)       617    MZ PE i386 APPDATA 34120000