As could be expected, we witness an arms race when observing the evolution of VBA malicious documents. First the VBA code was trivially simple (download and execute), then obfuscation was added (strings and code), and now we see more attempts to evade detection.
I analyzed a maldoc sample (.xls 77f3949c2130b268bb18061bcb483d16) that tries to detect sandboxes and virtualization (and aborts if found).
Here's part of the code:
If IsSandBoxiePresent(1) = True Then End
If IsAnubisPresent(1) = True Then End
If IsVirtualPCPresent = True Then End
the VM detection disks trick is interesting
The looking for specific modules/users/reg keys re sboxes - heh. Many other sandboxes will have something similar with default paths, modules, reg keys, processes etc.
It's curious they didn't obfuscate these specific functions and strings.
the string and function obfuscation (and obsolete modules/classes/functions) is annoying and will likely only get more common. (natural progression to impede automated analysis )
Same goes for more winapi use in these.
I suppose , could write custom modules for office processes trying to enumerate these things and say it's VM or SB detection. (or lie about the values of those for something like CSB as a custom plugin)
'취약점 정보1' 카테고리의 다른 글
| Google Service Interruption Due To BGP Failure (0) | 2015.03.16 |
|---|---|
| Mozilla Releases Masche Memory Scanning Tool (0) | 2015.03.16 |
| Telerik Analytics Monitor Library allows DLL hijacking (0) | 2015.03.12 |
| SSL/TLS implementations accept export-grade RSA keys (FREAK attack) (0) | 2015.03.12 |
| Explaining the PostgreSQL pass-the-hash vulnerability (0) | 2015.03.05 |