Re: VPC

["Kurt Baumgartner" <kbaumgartner () pctools com>]

> Hint : There are better ones than CWsandbox,
> - Joebox
> - Anubis (qemu -> easy to detect)

ThreatExpert too:
www.threatexpert.com

Evasion techniques are implemented in active malcode for all of them.
The most common techniques target vmware, emulator weaknesses, or
directories and components of the frameworks themselves. 

Oh look, here's another one:
"Here is an assembly code chunk we extracted from an ITW worm. This code
is an attempt to detect Anubis:
sub esp, 104h
lea eax, [esp+0]
push ebx
push offset aCInsidetm ; "C:\\InsideTm\\"
push eax ; str1
xor bl, bl ; status (bl) = 0
call ds:strstr

The disassembly matches up somewhat with some proposed Anubis-detecting
c code fairly recently posted to an underground forum:
char ModulePath[MAX_PATH];
GetModuleFileName(NULL, ModulePath, MAX_PATH);
p = strstr(ModulePath, "InsideTm");
if(p != NULL) return true;"
http://blog.threatfire.com/2008/01/chartreuse-pill.html


kurt
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave