Dailydave mailing list archives
Re: VPC
From: "Kurt Baumgartner" <kbaumgartner () pctools com>
Date: Fri, 22 Feb 2008 09:44:22 -0700
Hint : There are better ones than CWsandbox, - Joebox - Anubis (qemu -> easy to detect)
ThreatExpert too: www.threatexpert.com Evasion techniques are implemented in active malcode for all of them. The most common techniques target vmware, emulator weaknesses, or directories and components of the frameworks themselves. Oh look, here's another one: "Here is an assembly code chunk we extracted from an ITW worm. This code is an attempt to detect Anubis: sub esp, 104h lea eax, [esp+0] push ebx push offset aCInsidetm ; "C:\\InsideTm\\" push eax ; str1 xor bl, bl ; status (bl) = 0 call ds:strstr The disassembly matches up somewhat with some proposed Anubis-detecting c code fairly recently posted to an underground forum: char ModulePath[MAX_PATH]; GetModuleFileName(NULL, ModulePath, MAX_PATH); p = strstr(ModulePath, "InsideTm"); if(p != NULL) return true;" http://blog.threatfire.com/2008/01/chartreuse-pill.html kurt _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: VPC, (continued)
- Re: VPC Kurt Baumgartner (Feb 22)
- Re: VPC John H. Sawyer (Feb 23)