Ok, we’re running out of little pill colors to match up with Matrix analogies. But simply put, the red pill and the subsequent blue pill work attempted to achieve the goal of detecting and abusing virtual machines.
Maybe chartreuse isn’t what we’re looking for, maybe it is, but worms we are currently monitoring in the wild are mixing up their own colorful pill recipes. The authors’ intent is to detect and evade research environments. These virtual or sandboxed environments are frequently the sort of environments that security researchers have been using to automate malware analysis. We are seeing prevalent worms target VirtualPC, VMWare, and now Anubis for detection and evasion (Anubis is connected with an Austrian security group, somewhat similar in purpose to the very effective ThreatExpert).
Here is an assembly code chunk we extracted from an ITW worm. This code is an attempt to detect Anubis:
sub esp, 104h
lea eax, [esp+0]
push offset aCInsidetm ; “C:\\InsideTm\\”
push eax ; str1
xor bl, bl ; status (bl) = 0
The disassembly matches up somewhat with some proposed Anubis-detecting c code fairly recently posted to an underground forum:
GetModuleFileName(NULL, ModulePath, MAX_PATH);
p = strstr(ModulePath, “InsideTm”);
if(p != NULL) return true;
From some of the code posted recently on the same underground forums, Sandboxie’s turn is coming up next.
The older VMWare detection used in the worm is a bit off color from the red pill itself. But it looks like a duplicate copy of what is showing up in the current valentine’s day Storm worm variants we are seeing. The code is being used and reused in current malware:
mov eax, ‘VMXh’ ; VMWare magic number
mov ebx, 0 ; default
mov ecx, 0Ah ; get vmware version command
mov edx, ‘VX’ ; port #
in eax, dx ; read port
cmp ebx, ‘VMXh’ ; check vmware reply
setz [ebp+bool_VMWare] ; set vmware status accordingly
jmp short @@check_vmware
Anyways, the good folks developing Anubis, and any researchers running automated sandbox technology on top of VirtualPC or VMWare should be aware that these functions are showing up today in prevalent password stealer dropping worms that we’ve seen rereleased multiple times each day for a couple weeks now.
If you attended VB2007 and checked out Sergei’s talk, you’d have seen that ThreatExpert already solves this sort of little pill problem with a goat on a leash.