Tackling Gootkit’s Traps
- by nlqip
Note that each “while” loop is performing string decryption on the sequences of bytes shown in the variables above the loop. When following the execution in a debugger, the strings are decrypted, and some meaningful indicators of VM checks are visible. (See appendix for decryption function details.)
In this code snippet, three checks are evident:
- MAC address check
- Checking the presence of “dbghelp.dll” — debugger indicator
- Checking the presence of “sbiedll.dll” — sandboxie indicator
By following the traps and patching the system accordingly, the environment is prepared for Gootkit to run in.
The rest of the checks include:
- Compare user name to “CurrentUser”/”Sandbox”
- Compare computer name to “SANDBOX”/”7SILVIA”
- HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemSystemBiosVersion” compare with AMI, VirtualBox, BOCHS, INTEL 640000, 55274-640-2673064-23950, and other serials
After patching a virtual machine and running the sample, it’s clear that it is no longer stuck in an endless loop and that the sample continues its propagation in the system.
Source link
lol
Note that each “while” loop is performing string decryption on the sequences of bytes shown in the variables above the loop. When following the execution in a debugger, the strings are decrypted, and some meaningful indicators of VM checks are visible. (See appendix for decryption function details.) In this code snippet, three checks are evident:…
Recent Posts
- Hackers Strike at Heart of Italian Government
- The Rise of Ransomware-as-a-Service and Decline of Custom Tool Development | BlackFog
- Canadian Suspect Arrested Over Snowflake Data Breach and Extortion Attacks
- Malware Campaign Uses Ethereum Smart Contracts to Control npm Typosquat Packages
- Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System