Malware refuses to run properly on VMWare [Archive]

View Full Version : Malware refuses to run properly on VMWare

Cthulhu

January 19th, 2009, 14:02

Hello folks!
I'm playing around with this trojan and I think it detects VMware somehow and refuses to run properly then.

I found the function where it should detect VMWare at 0x00414264

Code:



00414264    $  55                PUSH EBP

00414265    .  8BEC              MOV EBP,ESP

00414267    .  51                PUSH ECX

00414268    .  53                PUSH EBX                                                   ;  dxdiag32.00414E38

00414269    .  56                PUSH ESI

0041426A    .  57                PUSH EDI                                                   ;  ntdll.7C910738

0041426B    .  33C0              XOR EAX,EAX

0041426D    .  8945 FC           MOV DWORD PTR SS:[EBP-4],EAX

00414270    .  33C0              XOR EAX,EAX

00414272    .  55                PUSH EBP

00414273    .  68 AC424100       PUSH dxdiag32.004142AC

00414278    .  64:FF30           PUSH DWORD PTR FS:[EAX]

0041427B    .  64:8920           MOV DWORD PTR FS:[EAX],ESP

0041427E    .  B8 68584D56       MOV EAX,564D5868

00414283    .  BB 00000000       MOV EBX,0

00414288    .  B9 0A000000       MOV ECX,0A

0041428D    .  BA 58560000       MOV EDX,5658

00414292    .  ED                IN EAX,DX                                                  ;  I/O command

00414293    .  81FB 68584D56     CMP EBX,564D5868

00414299    .  75 07             JNZ SHORT dxdiag32.004142A2

0041429B    .  C745 FC 01000000  MOV DWORD PTR SS:[EBP-4],1

004142A2    >  33C0              XOR EAX,EAX

004142A4    .  5A                POP EDX                                                    ;  dxdiag32.00403C33

004142A5    .  59                POP ECX                                                    ;  dxdiag32.00403C33

004142A6    .  59                POP ECX                                                    ;  dxdiag32.00403C33

004142A7    .  64:8910           MOV DWORD PTR FS:[EAX],EDX

004142AA    .  EB 0F             JMP SHORT dxdiag32.004142BB

004142AC    .^ E9 B3F4FEFF       JMP dxdiag32.00403764

004142B1    .  33C0              XOR EAX,EAX

004142B3    .  8945 FC           MOV DWORD PTR SS:[EBP-4],EAX

004142B6    .  E8 89F6FEFF       CALL dxdiag32.00403944

004142BB    >  8B45 FC           MOV EAX,DWORD PTR SS:[EBP-4]

004142BE    .  5F                POP EDI                                                    ;  dxdiag32.00403C33

004142BF    .  5E                POP ESI                                                    ;  dxdiag32.00403C33

004142C0    .  5B                POP EBX                                                    ;  dxdiag32.00403C33

004142C1    .  59                POP ECX                                                    ;  dxdiag32.00403C33

004142C2    .  5D                POP EBP                                                    ;  dxdiag32.00403C33

004142C3    .  C3                RETN

But somehow it detects VMWare before reaching this function.
I'm a bit stuck at this point.

I'll post the trojan here in case someone wants to take a look at it.

http://rapidshare.com/files/186153602/dxdiag32_unp.rar.html
PWD: malware

My best regards

Kayaker

January 19th, 2009, 14:52

Hi Cthulhu

Might it have been using one of the other known tricks as well, say from ScoopyNG source?

http://www.trapkit.de/research/vmm/scoopyng/index.html

ZaiRoN

January 19th, 2009, 15:17

Check out this part

MOV EAX,564D5868
MOV EBX,0
MOV ECX,0A
MOV EDX,5658
IN EAX,DX
CMP EBX,564D5868

ZaiRoN

January 19th, 2009, 17:23

I post the above code because I was not sure if you understand the trick or not.
Anyway, a quick glance at the trojan reveals some checks, but seems like not all are strictly related with a specific vmware check. Can you tell us some more things about your investigations? What kind of checks did you find?

Kayaker

January 19th, 2009, 21:59

Heh, it seems the author put a backdoor in so he could test it in vmware. Immediately after the VM check above (if a vm is detected), there is another check to see if the filename C:/vRun exists. If so, then the 'badboy' vm check is ignored and it goes ahead with the infection anyway.

Copies itself (CopyFile) to
C:\WINDOWS\system32\DirectX\Dinput\Driver\1 and \2

I didn't let it infect completely, so I may have missed another vm check, but the one you found is the only one I see up to the CopyFile point. At least, it seems to be infecting fine if that one vm check is bypassed.

vvw

January 20th, 2009, 02:28

This looks like a function to determine whether you are in VMWare. There is only one stack local here, [ebp-4] which is a BOOL that can either be TRUE or FALSE

Below is a commented version of the check

Code:



0041427E    .  B8 68584D56       MOV EAX,564D5868   ;magic number (VMXh)

00414283    .  BB 00000000       MOV EBX,0          ;command parameter

00414288    .  B9 0A000000       MOV ECX,0A         ;command number

0041428D    .  BA 58560000       MOV EDX,5658       ;VMWare I/O port

00414292    .  ED                IN EAX,DX          ;communicate with backdoor                                   ;  I/O command

00414293    .  81FB 68584D56     CMP EBX,564D5868

Command number 0x0a is a 'get VMware version' command. If you are running in VMWARE, the magic number will be returned in ebx, hence the comparison that follows. If the check fails, the immediate 1 never gets put in [ebp-4] and so the function will return 0 or FALSE

You can patch the instruction at 00414299 and change the jnz (opcode byte 75) to a jz (opcode byte 74) to get around this particular check

Cthulhu

January 20th, 2009, 06:18

Thanks for the replies.
I always look for VMWare checks searching for the known constant 564D5868. That's how I found the code.
I got confused by the fact that the function was never called on my tests.
I'll investigate it deeper.