Results 1 to 13 of 13

Thread: Virtual environment to test CIH (A.K.A Chernobyl) virus?

  1. #1

    Virtual environment to test CIH (A.K.A Chernobyl) virus?

    Hi everybody,
    I have one .exe file infected by CIH virus and I want to analyze it on virtual enviroment (like VMWare). Unfortunately this virus use some VXD calls in ring0 and it fails to work on VMWare. This dangerous virus works only on windows 95/98 and may damage the BIOS. I really want to understand its code and its functionality, so I need the virtual environment to test and debug it. Do you have any suggestion? Thanks for your help!

    PS: Sorry for my poor english
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Well, I guess I'd try with all the other alternatives within the virtualization field (VirtualPC etc, see: http://www.woodmann.com/collaborative/tools/index.php/Category:Virtual_Machines), and if none of them works, debug it in VMware and see why it's not working, and patch it.

    In the general case, VMware should have no problem handling "VXD calls in ring0" as long as it runs the correct guest operating system (Windows 95/98 in this case, as you mention), and virtualization did not exist in the big sense back then, i.e. it really shouldn't be virtualization detection either, so the problem might just be some specific detail of the virus that you can patch your way past.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #3
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Why analyze it in a VM if you can just download and read its source code?
    http://www.62nds.co.nz/62nds/documents/cih.txt

  4. #4
    Well, looking at the source code might be just too easy. Maybe someone could point him to a copy of the "virtual" source code.

    Regards,
    JMI

  5. #5
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    There might be code behavior details that are not obvious in dead listing, even having source code, which need live debugging to be able to understand clearly. Otherwise developers, which by definition have the source code, and even better wrote the source would never have to use a debugger

    Now to the question at hand:
    I have tried to do some debugging of win95 and win98 in a VMware. I was trying to repair the drivers of an old application that interfaces with some instrument. My overall impression was that once I tried to go ring0, the VM stopped cooperating. This is in contrast with my experience with XP: I have been able to trace drivers and .sys files seamlessly inside winXP Vmware.
    For reasons that are way beyond my capacity of comprehension, the VM simulation for older OS seems to be far less than perfect. I guess VMware was developed during the XP years with XP in mind, I don't know.

    In any case, if you are so interested in studying Chernobyl, I would suggest you do it in an old machine/old OS installed using a throw away old hard-drive.

  6. #6
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    ...and a throw-away motherboard, since it can nuke the BIOS too.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  7. #7
    Quote Originally Posted by disavowed View Post
    Why analyze it in a VM if you can just download and read its source code?
    http://www.62nds.co.nz/62nds/documents/cih.txt
    You can easily find the source code of this well-known virus, but I think live debugging will give us more details than dead listing, furthermore I need an environment to execute this virus to collect more samples. So I will try other virtual machine softwares. Thanks for your help!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Compile it and study it...
    The only reason for time is so that everything doesn't happen at once. [A. Einstein]

  9. #9
    mkfeldman
    Guest
    qemu is a cpu emulator, I think it will work no problem
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    You should eventually try to emulate all the VXD and ring-0 stuff on XP using SEH... it's not an easy job, but it can be done.
    For an example of how to do, see my code here: http://www.woodmann.com/forum/showthread.php?t=10220

  11. #11
    sapu: your stuff is awesome!

    naides: I emphatically disagree with the assertion and attempted justification that you need to execute a program in order to reverse engineer it. There are plenty of folks in the AV industry that do a large amount of pure static reverse engineering. You can in fact recover 100% of the details in 100% of the cases, it's just a matter of time. Debugging is merely a luxury.

  12. #12
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    @habitual: You are right.
    You will not find a strong argument from me. I do not reverse malware and only do some RCE as a hooby.
    It is undeniable that, given enough time, pure static reverse engineering could recover 100% of the details. In fact, the rules by which a CPU operates and the way a program flows are well known. A CPU is a deterministic automaton, so all possible states can be solved by an analyst "pretending to be the cpu"(on paper simulation). I just think that in many situations, static analysis is just not practical.
    Tracing crypted code, packed code from scratch, decryption keys that are not expressly present in the dead listing but calculated at run time, event driven behaviors, could generate quite a bit of pain to a static reverser. Surmountable with static analysis? yes. Practical? no.
    Live debugging is a luxury: I agree. But sometimes is better to allow the cpu do most of the heavy lifting for you.

  13. #13
    Hi everybody,

    I've done my work without debugging :-D. Thanks for your help! :-)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Setting up a malware analysis environment
    By Kayaker in forum Malware Analysis and Unpacking Forum
    Replies: 41
    Last Post: November 20th, 2010, 21:56
  2. Replies: 12
    Last Post: December 24th, 2009, 11:34

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •