Recently we have noticed a new variant of backdoor malware spreading in UK networks using interesting anti-virtual machine tricks.
Today’s malware uses anti-emulation and anti-debugging tricks on a daily basis to prevent malware researchers from debugging or emulating a particular sample. The vast majority of malware files still consist of simple anti-emulation tricks like calling less frequently used APIs or simple virtual machine detections. These tricks can be usually bypassed very quickly by skipping them or adjusting the result of the anti-debugging function. It is this file which consists of both anti-emulation tricks and several virtual machine detections which are periodically tested during file’s code execution.
The malicious code itself is protected by double packer layers. The top one is some custom cryptor which executes several anti emulation tricks such as calling rare API functions and decrypting the MPress packed executable to its own memory. After unpacking this inner MPress packer, we finally get the malicious code.
The first virtual machine detection consists of checking loaded modules names. Loaded module names are encrypted by their own hash function and then compared to a blacklist. We can see on the screenshot below where VMware drivers are being checked.
The other routine, on the other hand, verifies running processes. In our case it checks if there are processes belonging to VMware Tools running:
Again, hash represents the encrypted name of blacklisted process (VMwaretray.exe, VMwareuser.exe). Beside these, it also checks for another security tools from different vendors.
As these methods could be considered common, another one is quite interesting. Received values (SectorsPerCluster, BytesPerSector and TotalNumberOfClusters) from the “GetDiskFreeSpace” API call are used to calculate the size of the disk in gigabytes. This calculated disk size is then compared with the constant value 0xC which means 12GB. Execution of the sample is terminated if your drive is smaller than 12GB. This will usually fool most of virtual machines because they have been assigned only small virtual disks.
The malware itself makes some nasty changes in the system when executed in non-virtual environment (or when all tricks are bybassed). The file is set in registry key to run after computer startup:
ValueName: <Unique CLSID>
DataType: Path to file (random file and folder in “%AppData%”)
This unique CLSID is also used to create several encrypted events and mutexes together with the following strings:
EVT_COOKIES_GET, EVT_COOKIES_CLEAR, EVT_COOKIES_GET_CLEAR, EVT_SOLS_GET, EVT_SOLS_CLEAR, EVT_SOLS_GET_CLEAR, EVT_START, EVT_SHUTDOWN, EVT_SHUTDOWN_OK, EVT_UNINSTALL, EVT_TERMPLUGINER, EVT_AVI, EVT_VNC, EVT_BACK
MTX_MASTER, MTX_PLUGINER, MTX_VNC, MTX_INITVNC
These events and mutexes are encrypted before their creation in system:
Malware then gathers information about the computer and environment including browser version, installed updates, installed software etc and tries to send this information using port 443 to following websites: wprotections.cc, iprotections.su, iguards.cc
To prevent being discovered, the malware hooks the IATs of loaded modules of running processes so that it becomes impossible to delete or even see the registry entry in RUN key or “%AppData%”. The two main function pointers rewritten are:
Ntdll.dll!NtEnumerateValueKey (prevents to being visible in registry)
Ntdll.dll!NtQueryDirectoryFile (prevents to being listed by any file explorer)
This malware is detected by AVG as Trojan horse Agent.7.BI variant and the analyzed sample md5 hash is 817AC383007C2D900FF00B8478BA4ED2.
Michal Cebak & Tomas Prochazka