Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Maldoc VBA Sandbox/Virtualization Detection - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Maldoc VBA Sandbox/Virtualization Detection

As could be expected, we witness an arms race when observing the evolution of VBA malicious documents. First the VBA code was trivially simple (download and execute), then obfuscation was added (strings and code), and now we see more attempts to evade detection.

I analyzed a maldoc sample (.xls 77f3949c2130b268bb18061bcb483d16) that tries to detect sandboxes and virtualization (and aborts if found).

Here's part of the code:

If IsSandBoxiePresent(1) = True Then End

If IsAnubisPresent(1) = True Then End

If IsVirtualPCPresent = True Then End

DidierStevens

342 Posts
ISC Handler
the VM detection disks trick is interesting
The looking for specific modules/users/reg keys re sboxes - heh. Many other sandboxes will have something similar with default paths, modules, reg keys, processes etc.
It's curious they didn't obfuscate these specific functions and strings.

the string and function obfuscation (and obsolete modules/classes/functions) is annoying and will likely only get more common. (natural progression to impede automated analysis )
Same goes for more winapi use in these.

I suppose , could write custom modules for office processes trying to enumerate these things and say it's VM or SB detection. (or lie about the values of those for something like CSB as a custom plugin)
Mallory Bobalice

28 Posts
These evasion techniques are definitely getting more common. When combined with spear phishing they can be incredibly effective.

This particular hash was scanned 4 days ago on Metascan Online and was only detected by 1/43 engines. I just rescanned it today and detection is up to 15/43.

At our company we've been preaching that file sanitization should replace or augment malware scanning. We're imagining that companies should start to setup ICAP and mail gateways to literally strip out VB Script from files inbound to the network.

Is this impractical? In your experience have you seen management fight back against stronger macro controls? What do you do for personal laptops?
Mallory Bobalice
1 Posts
Looks like its time we starting pushing registry keys to make legitimate systems look like VM's......
T1tu3

2 Posts
What was the malware actually looking for? Registry keys, or other stuff too?
John

88 Posts
All kinds of tests: registry keys, but also DLLs, disk serial numbers, ...

I have the details on my blog:
blog.didierstevens.com/2015/03/11/vba-maldoc-we-dont-want-no-stinkin-sandboxvirtual-pc/
DidierStevens

342 Posts
ISC Handler
Thanks!!!
John

88 Posts
It is interesting that an example I saw the other day, was using an XML attachment which turned out was a word xml schema, this led to a word maldoc with the malicious VBA. So not only is sandboxing being avoided but so are the traditional email file filters. The key part of the xml document was:

xmlns:wsp="http://schemas.microsoft.com/office/word/2003/wordml/sp2" w:macrosPresent="yes"
John
2 Posts
Yes, this XML format is something I described in a previous diary entry, at the beginning of the month:
isc.sans.edu/forums/diary/XML+A+New+Vector+For+An+Old+Trick/19423/
DidierStevens

342 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!