Maldoc VBA Sandbox/Virtualization Detection

Published: 2015-03-14
Last Updated: 2015-03-14 12:04:53 UTC
by Didier Stevens (Version: 1)
8 comment(s)

As could be expected, we witness an arms race when observing the evolution of VBA malicious documents. First the VBA code was trivially simple (download and execute), then obfuscation was added (strings and code), and now we see more attempts to evade detection.

I analyzed a maldoc sample (.xls 77f3949c2130b268bb18061bcb483d16) that tries to detect sandboxes and virtualization (and aborts if found).

Here's part of the code:

If IsSandBoxiePresent(1) = True Then End

If IsAnubisPresent(1) = True Then End

If IsVirtualPCPresent = True Then End

Keywords: maldoc malware vba
8 comment(s)

Comments

the VM detection disks trick is interesting
The looking for specific modules/users/reg keys re sboxes - heh. Many other sandboxes will have something similar with default paths, modules, reg keys, processes etc.
It's curious they didn't obfuscate these specific functions and strings.

the string and function obfuscation (and obsolete modules/classes/functions) is annoying and will likely only get more common. (natural progression to impede automated analysis )
Same goes for more winapi use in these.

I suppose , could write custom modules for office processes trying to enumerate these things and say it's VM or SB detection. (or lie about the values of those for something like CSB as a custom plugin)
These evasion techniques are definitely getting more common. When combined with spear phishing they can be incredibly effective.

This particular hash was scanned 4 days ago on Metascan Online and was only detected by 1/43 engines. I just rescanned it today and detection is up to 15/43.

At our company we've been preaching that file sanitization should replace or augment malware scanning. We're imagining that companies should start to setup ICAP and mail gateways to literally strip out VB Script from files inbound to the network.

Is this impractical? In your experience have you seen management fight back against stronger macro controls? What do you do for personal laptops?
Looks like its time we starting pushing registry keys to make legitimate systems look like VM's......
What was the malware actually looking for? Registry keys, or other stuff too?
All kinds of tests: registry keys, but also DLLs, disk serial numbers, ...

I have the details on my blog:
http://blog.didierstevens.com/2015/03/11/vba-maldoc-we-dont-want-no-stinkin-sandboxvirtual-pc/
Thanks!!!
It is interesting that an example I saw the other day, was using an XML attachment which turned out was a word xml schema, this led to a word maldoc with the malicious VBA. So not only is sandboxing being avoided but so are the traditional email file filters. The key part of the xml document was:

xmlns:wsp="http://schemas.microsoft.com/office/word/2003/wordml/sp2" w:macrosPresent="yes"
Yes, this XML format is something I described in a previous diary entry, at the beginning of the month:
https://isc.sans.edu/forums/diary/XML+A+New+Vector+For+An+Old+Trick/19423/

Diary Archives