Tackling Gootkit’s Traps
- by nlqip
Note that each “while” loop is performing string decryption on the sequences of bytes shown in the variables above the loop. When following the execution in a debugger, the strings are decrypted, and some meaningful indicators of VM checks are visible. (See appendix for decryption function details.)
In this code snippet, three checks are evident:
- MAC address check
- Checking the presence of “dbghelp.dll” — debugger indicator
- Checking the presence of “sbiedll.dll” — sandboxie indicator
By following the traps and patching the system accordingly, the environment is prepared for Gootkit to run in.
The rest of the checks include:
- Compare user name to “CurrentUser”/”Sandbox”
- Compare computer name to “SANDBOX”/”7SILVIA”
- HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemSystemBiosVersion” compare with AMI, VirtualBox, BOCHS, INTEL 640000, 55274-640-2673064-23950, and other serials
After patching a virtual machine and running the sample, it’s clear that it is no longer stuck in an endless loop and that the sample continues its propagation in the system.
Source link
lol
Note that each “while” loop is performing string decryption on the sequences of bytes shown in the variables above the loop. When following the execution in a debugger, the strings are decrypted, and some meaningful indicators of VM checks are visible. (See appendix for decryption function details.) In this code snippet, three checks are evident:…
Recent Posts
- Windows 10 KB5046714 update fixes bug preventing app uninstalls
- Eight Key Takeaways From Kyndryl’s First Investor Day
- QNAP pulls buggy QTS firmware causing widespread NAS issues
- N-able Exec: ‘Cybersecurity And Compliance Are A Team Sport’
- Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’