Tackling Gootkit’s Traps

2024 Cybersecurity Predictions


Note that each “while” loop is performing string decryption on the sequences of bytes shown in the variables above the loop. When following the execution in a debugger, the strings are decrypted, and some meaningful indicators of VM checks are visible. (See appendix for decryption function details.)

In this code snippet, three checks are evident:

  • MAC address check
  • Checking the presence of “dbghelp.dll” — debugger indicator
  • Checking the presence of “sbiedll.dll” — sandboxie indicator

By following the traps and patching the system accordingly, the environment is prepared for Gootkit to run in.

The rest of the checks include:

  • Compare user name to “CurrentUser”/”Sandbox”
  • Compare computer name to “SANDBOX”/”7SILVIA”
  • HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemSystemBiosVersion” compare with AMI, VirtualBox, BOCHS, INTEL 640000, 55274-640-2673064-23950, and other serials

After patching a virtual machine and running the sample, it’s clear that it is no longer stuck in an endless loop and that the sample continues its propagation in the system.



Source link
lol

Note that each “while” loop is performing string decryption on the sequences of bytes shown in the variables above the loop. When following the execution in a debugger, the strings are decrypted, and some meaningful indicators of VM checks are visible. (See appendix for decryption function details.) In this code snippet, three checks are evident:…

Leave a Reply

Your email address will not be published. Required fields are marked *