How public tools are used by malware developers, the antivm tale

October 4, 2013  |  Alberto Ortega

Malware authors are aware of new technologies and research made by the security community. This is palpable when they implement new vulnerability exploitation on their tools or even reuse source code that belongs to public projects.

We have discussed antivm and antisandbox analysis tricks seen in malware samples several times.

Not long ago we came across a malware sample that had an interesting way to detect if it was being executed in a virtual environment / sandbox.

You have probably heard about pafish, a tool that pretend to be a proof of concept regarding this topic. Sadly, it is a matter of time that malware developers use that code to implement these techniques in new developments.

Our malware sample had a weird behavior when it was executed in a sandbox or virtual environment. Somehow, it was detecting that the environment was hostile for itself, let's see how.

It has four different executables embedded on it. One is a copy of pafish, another one a copy of ScoopyNG, and two malicious payloads. At running time it drops and executes the two first ones and it tries to detect if it is running under a virtual machine or sandbox. If none of them detect anything, it drops the malicious payload and continues the execution.

We can see it in the malwr.com https://malwr.com/analysis/YzIwNjE5NWU4Yzk3NDlkYmJiNDY4MmU5M2JmMmFjOTk. As you can see, the sandbox has been detected by pafish and the malware has started to create junk files in an infinite loop.

Once we have located the routine, patch that jnz loc_4019B0 to disable the detection is an easy task.

After patched, the behavior in malwr.com is completely different. It has dropped more files and tried to resolve four different domains, after that, the box is rebooted. To be sure about what happened next, we can try to run it in our own malware analysis machine.

After the box is rebooted, this is what we find.

So we have a fake AV in the house! The malicious payloads are a dropper that installs a Braviax variant.

In this case, those public tools have helped us to disable the detections. It is very positive to release them to the public to train researchers on these topics. Sadly, sometimes you can find this double-edged sword being used in the wild.

Share this with others

Get price Free trial