SpannerITWks
Premium
join:2005-04-22
| Chinese Trojan looks for VMware B4 DL'ing
From the www -
Chinese VM Detection, With a Splash of Adware
Here's a nice find - a file that searches for a Virtual PC by means of a Registry check. If the Virtual Machine is detected, the install comes to a halt. If you're on a real computer, however, you'll find numerous files downloaded and installed onto your PC. Along with the usual Trojans, there's something called CPush:
etc -
»blog.spywareguide.com/2007/04/ch···_sp.html
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25 | Heh, authors are getting smart. |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
 ·RoadRunner Cable
 ·AT&T Yahoo
edit:
April 15th, @10:05PM
| reply to SpannerITWks
Not surprising. Some of the VXers are approaching the
level of skill of software engineers, making it much more
difficult for AV/ASW/AT companies to keep up.
Long gone are the days when most malware was written
by script kiddies with no coding skills whatsoever.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot) |
|
rotty97
join:2005-06-30
Australia | Uh, Script Kiddies i thought USE code whether it is good code or not. I didn't think they wrote any of the tools they use. |
|
dannyboy 950
Premium
join:2002-12-30
Port Arthur, TX
·RoadRunner Cable
| The problem is that script kiddies like any other child grow up. The skiddie of yesterday ARE the master programmers of today.
I have no doubt that nearly every Mod
or senior level advisor in this forum,at one time was a script kiddie.
Being a script kiddie in itself is not bad. It is what they do with that knowledge that makes the difference. Most skiddies grow up and become professionals
and usefull members of society. |
|
Psicop
More human than human
Premium
join:2005-12-21 | reply to Doctor Four
And how do you know some of those "software engineers" haven't turned into the dark side? $$ (eg. HackerDefender), career change, etc.
|
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to antdude
said by antdude  :Heh, authors are getting smart. I was thinking the same thing. Cute trick bet theres a equally cute trick to make it so it cant see that key.
Or heres a thought add the key to the regular windows registry to make the trojan think that the real machines is a vmware one 
Dont know if it would work or is even possible. Simply put ive not fulled with vmware enough to know.
Be pretty damn funny though if it is possible and works. Kind of like running sambar server and having all the dirs that nimda or code red looked for and wach the worm run around in circles hehe.
One time i created the dirs those nasties watched for then created txt files that matched the sizes of files the worms wanted and named them to match. Had those worms running in circles was fun.
--
Evil does exist and it has a face to often that face is one that should look on their child with love in their eyes.
Instead only hate exists in those eyes. |
|
psloss
Premium,MVM
join:2002-02-24
Alpharetta, GA
| reply to SpannerITWks
This tactic also has its limitations. When malware goes into detection mode, the roles are reversed -- now they are on defense, and we can pretend we're trying to reverse engineer their program ("I'm a debugger", "I'm a VM"). Now they won't infect that box.
Not good for a researcher but a nice trick that users could employ.
--
Feedback? e-mail: stuff@lupwa.org |
|
coldmoon
Premium
join:2002-02-04
Broadway, NC
·Windstream
| reply to SpannerITWks
This isn't new really as spyware developers have been trying this type of thing since at least 2005 or earlier. This caused the development of a native machine testing procedure in the lab I worked in.
It was rare, but it was only a matter of time before the other malicious developers started using it... |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| said by coldmoon :This isn't new really as spyware developers have been trying this type of thing since at least 2005 or earlier. This caused the development of a native machine testing procedure in the lab I worked in. It was rare, but it was only a matter of time before the other malicious developers started using it... Hmm maybe you can answer my question has adding the registry key that this trojan or other nasties look/ed for been tried if so what happens?
--
Evil does exist and it has a face to often that face is one that should look on their child with love in their eyes.
Instead only hate exists in those eyes. |
|
Bane75
join:2002-09-20
Poway, CA
| reply to SpannerITWks
The technique that this malware uses to detect a VM is very unsophisticated by today's standards. To answer the question, yes it is very possible to fool this type of VM detection by changing the registry entry. Much more complex and reliable methods for detecting VMs are already in use by malware. For example, some look for specific data in the virtual BIOS of VMWare or for specific memory traces. Ed Skoudis has a good white paper on malware with VM detection and how to fool the detection. I won't post a link as it is easily found via google. |
|
