Tackling Gootkit’s Traps
- by nlqip
Note that each “while” loop is performing string decryption on the sequences of bytes shown in the variables above the loop. When following the execution in a debugger, the strings are decrypted, and some meaningful indicators of VM checks are visible. (See appendix for decryption function details.)
In this code snippet, three checks are evident:
- MAC address check
- Checking the presence of “dbghelp.dll” — debugger indicator
- Checking the presence of “sbiedll.dll” — sandboxie indicator
By following the traps and patching the system accordingly, the environment is prepared for Gootkit to run in.
The rest of the checks include:
- Compare user name to “CurrentUser”/”Sandbox”
- Compare computer name to “SANDBOX”/”7SILVIA”
- HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemSystemBiosVersion” compare with AMI, VirtualBox, BOCHS, INTEL 640000, 55274-640-2673064-23950, and other serials
After patching a virtual machine and running the sample, it’s clear that it is no longer stuck in an endless loop and that the sample continues its propagation in the system.
Source link
lol
Note that each “while” loop is performing string decryption on the sequences of bytes shown in the variables above the loop. When following the execution in a debugger, the strings are decrypted, and some meaningful indicators of VM checks are visible. (See appendix for decryption function details.) In this code snippet, three checks are evident:…
Recent Posts
- Arm To Seek Retrial In Qualcomm Case After Mixed Verdict
- Jury Sides With Qualcomm Over Arm In Case Related To Snapdragon X PC Chips
- Equinix Makes Dell AI Factory With Nvidia Available Through Partners
- AMD’s EPYC CPU Boss Seeks To Push Into SMB, Midmarket With Partners
- Fortinet Releases Security Updates for FortiManager | CISA