Questions swirl around virtual-machine rootkit detection

[taslayer]

At Black Hat, researcher presents new findings on rootkits, Vista security

blackhat = defcon
where i recently was


LAS VEGAS--Can rootkit malware that hides by mimicking a software-based virtual machine ever be detected? That was the topic of debate as security researchers presented their latest findings to packed audiences at the Black Hat Conference here.
Joanna Rutkowska, researcher at the firm Invisible Things, was the one who famously ignited the keen interest in virtualized rootkits after she described and demonstrated her rootkit creation, called Blue Pill, at last year’s Black Hat.
Read the latest WhitePaper - Research Brief: How Websense Users Protect Data

Wednesday, Rutkowska returned to Black Hat to acknowledge that researcher Edgar Barbosa has come the closest to devising a method for detecting Blue Pill. “Congratulations to Edgar,” she said, during the highly technical presentation she made with her colleague, researcher Alexander Tereshkin. Rutkowska said she and her colleague hadn't found a way yet to evade Barbosa’s so-called counterbased detection method as detailed in a paper he made public in July at the SyScan conference.

Rutkowska also said she is posting the Blue Pill code publicly for download at the Blue Pill Project Web site. “You can freely upload Blue Pill right now,” she said. Blue Pill has been developed in a number of variants since last year, including one based on nested hypervisors, where stealth, virtual-machine malware is nested inside other stealth, virtual-machine malware.

On a separate topic, she faulted Microsoft’s code-signing security that requires a Microsoft-approved signed certificate for kernel-mode protection. Rutkowska last year had shown a way to break that security, which would let an attacker load malware on 64-bit Vista, but Microsoft fixed that problem a few months ago by changing an API. However, she asserted on Wednesday that she and Tereshkin had uncovered another route around Vista kernel protection: Faulty third-party drivers, which although digitally signed, are simply vulnerable.

She also noted that it was all too simple to obtain a Microsoft-approved code-signing certificate through a largely automated process that cost $250 for a certificate. Microsoft was not immediately available to comment on Rutkowska’s findings.

At an earlier session at Black Hat titled “Don’t Tell Joanna, the Virtualized Rootkit is Dead,” researchers Thomas Ptacek from Matasano Security, Nate Lawson from Root Labs, and Peter Ferrie from Symantec, labored to describe how they are on the path to detecting virtual-machine malware through three technical approaches. They described these technical approaches as side-channel attack, vantage-point attack and performance event counters.

In the end, however, Ptacek said the research was focused on detecting the presence of virtualization malware called Vitriol, created by researcher Dino Dai Zovi, for VMware. That’s because Vitriol is one of only a few known examples of virtualization malware, and Rutkowska had declined to supply any Blue Pill code before the conference.

The three researchers indicated they intend to release their published findings, as well as a software framework they call Samsara for detecting virtualization malware, within a few days.

well..

[taslayer]

they are not too smart ;)

anti sandboxie (google sandboxie)

Code:

#include <windows.h>
#include <string>
#include <iostream>
#include <TlHelp32.h>
#include <Psapi.h>

using namespace std;

string StripFilePath(string ImageFile);

string StripFilePath(string ImageFile)
{
   string::size_type iPos = ImageFile.find_last_of("\\");
   string StrippedFileName = ImageFile.substr(iPos+1, ImageFile.length());
   return StrippedFileName;
}

int main()
{
   string targetDLL = "SbieDll.dll"; /* The injected SandBoxie DLL.*/

   HANDLE hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

   PROCESSENTRY32 pEntry32 = {0};
   MODULEENTRY32  mEntry32 = {0};

    if (hProcess == INVALID_HANDLE_VALUE)
      return 0;

    pEntry32.dwSize = sizeof(PROCESSENTRY32);

   char szModuleFile[MAX_PATH] = {0}; GetModuleFileName(GetModuleHandle(NULL),
      szModuleFile, MAX_PATH-1);

   string StrippedPath = szModuleFile; StrippedPath = StripFilePath(StrippedPath);

   if (Process32First(hProcess, &pEntry32))
   {   
      while (Process32Next(hProcess, &pEntry32))
      {
         if (!strcmp(pEntry32.szExeFile, StrippedPath.c_str())) 
         {
            HANDLE hModule = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,
               pEntry32.th32ProcessID);
            
            if (hModule == INVALID_HANDLE_VALUE) { continue; }

            mEntry32.dwSize = sizeof(MODULEENTRY32);
         
            if(Module32First(hModule, &mEntry32))
            {
               while (Module32Next(hModule, &mEntry32))
               {
                  if (!strcmp(mEntry32.szModule, targetDLL.c_str())) {
                     MessageBox(NULL, "Warning!", "Sandboxie Found.", MB_OK);
                     return 0;
                  }
               }
            }
         }
      }
   }
   MessageBox(NULL, "Woohoo!", "Not running under SandBoxie.", MB_OK);
   return 0;

}

anti anubis
Defeating Anubis File Analyzer
Anubis: http://analysis.seclab.tuwien.ac.at/

Code:

bool IsAnubisPresent(void)
{
   bool bPresent = false;
   char szFilePath[MAX_PATH];

   GetModuleFileName(GetModuleHandle(NULL), szFilePath, sizeof(szFilePath) - 1);

   if (strstr(szFilePath, "InsideTm"))
      bPresent = true;

   return (bPresent);
}

AntiNormanSandbox

Code:

void AntiNormanSandbox()
     {
        char         Username[64];
        unsigned long         UsernameSize = sizeof(Username);

        GetUserName(Username, &UsernameSize);
        if(lstrcmp(Username, "CurrentUser") == 0) ExitProcess(0);
     }

and yes this is all used from viruses worms etc.