Zerowine: Malware dumping and detection tricks [Updated]

2009, Jan 18    

Update: I released the new version now! Download the prebuilt QEmu virtual machine (or the source code) from here. Remember that the root’s password is ‘zerowine’. There is also another user account: ‘malware’ with password ‘malware’.

I recently added 3 new interesting features to Zerowine. The very first one is the ability to dump the malware from memory while running and analyze the memory. This way, strings and code hidden in a packed malware can be analyzed because it is completely unpacked, as in the following example showing the strings from a variant of the MyTob malware packed with MEW.

Zerowine: String analysis of the MyTob malware after dumping it from memory

Zerowine: String analysis of the MyTob malware after dumping it from memory

The memory dumps can also be downloaded for later analysis with IDA Pro. The dumping process is done from outside WINE with a Python script (/home/malware/bin/dump_process.py) that uses python-ptrace to attach to the running malware and dump the memory.

I added also signatures using this new feature to detect the most typical Virtual Machine detection tricks (such as the redpill trick or the VMWare’s backdoor).

In this screenshot you can see also the “Debugger detection tricks” section. The detection is done by analyzing the behavior of the malware. The following is an analysis of some Chinesse malware packed with Themida:

And, well, that’s all at the moment. The new version will be released (or at least I hope to do so) in a week.

Cheers!