Sunday, September 2, 2012

Modifying VirtualBox settings for malware analysis part 2

I did some more research and noted that my previous post lacked some information/fixes.
If you apply the previously mentioned setting you will still be able to detected the guest, for example by using the Metasploit script checkvm.. but this can be fixed.

1) Start off with applying the previous setting for the virtualbox guest.

2) Then login to the guest and delete registry keys that is called something
like "VBOX".

On one of my guests I found the following. But you milage may vary depending on if you
added the virtualbox setting before booting the guest for the first time or not

I had VBOX related reg keys in the following locations:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\IDE\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\IDE\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\

There are a few keys that will be reset on reboot.

Reboot the guest and search once again in the registry to identify them.

 If you are using cuckoo this will not be a problem as you don't restart the guest between tests. However if you do manually test you could add a script that performes the changes at boot.

The batch script below is based in information bluntly stolen from:
https://itsultra.wordpress.com/2011/12/07/how-to-play-maplestory-using-virtualbox-4-1-x/

I have added some more keys that the original script did not cover

Note: replace the string "WOOT" and "VGA BIOS v1.54" with a string of your choice.

-- start of script ---

@reg copy HKLM\HARDWARE\ACPI\DSDT\VBOX__ HKLM\HARDWARE\ACPI\DSDT\WOOT__ /s /f
@reg delete HKLM\HARDWARE\ACPI\DSDT\VBOX__ /f
@reg copy HKLM\HARDWARE\ACPI\RSDT\VBOX__  HKLM\HARDWARE\ACPI\RSDT\WOOT__ /s /f
@reg delete HKLM\HARDWARE\ACPI\RSDT\VBOX__ /f
@reg copy HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\FADT\WOOT__ /s /f
@reg delete HKLM\HARDWARE\ACPI\FADT\VBOX__ /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\WOOTBIOS /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\WOOT__\VBOXFACP
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\WOOT__\WOOTFACP /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\WOOT__\VBOXFACP /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\WOOT__\VBOXRSDT
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\WOOT__\WOOTRSDT /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\WOOT__\VBOXRSDT /f

@reg add HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v
SystemBiosVersion /t REG_MULTI_SZ /d "WOOT -1" /f
@reg add HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v
VideoBiosVersion /t REG_MULTI_SZ /d "VGA BIOS v1.54" /f

--- end of script ---

There are of course other ways to identify a Virtualbox instance (or a Cuckoo sandbox in VBox or KVM). Some can be fixed other may not be so easily solved. I will update this post with some more fixed soon.


/Micke @nsmfoo

No comments:

Post a Comment

Post a Comment