Skip navigation.
Home

Zerowine: Dumping malware and detection of antivm and antidebug

| |

I released a new version of Zerowine, a QEmu+Wine based malware auto-analysis tool. In this version I added support to dump the malware from memory while running. The dumps can also be downloaded for later analysis with IDA Pro.

The other feature I added is the ability to detect both anti-debugging and anti-vm techniques. The detection of anti-debugging techniques is done by analyzing the APIs called by the malware while the anti-vm detection is done by looking for patterns in both the packed version of the malware (the original one) and the unpacked (memory dump) version of the malware.

You can download the latest version of Zerowine as a Prebuilt QEmu virtual machine (you can convert it to one VMWare image if you prefer using the help found in this blog) or in source code form.

Update: I fixed the issue with the corrupted image. I uploaded a new working one and the MD5Sum.

Cheers!

running!!!

Hi:
i use this batch file for running Zerowine:
****************
REM Start qemu on windows.
@ECHO OFF

REM SDL_VIDEODRIVER=directx is faster than windib. But keyboard cannot work well.
SET SDL_VIDEODRIVER=windib

REM SDL_AUDIODRIVER=waveout or dsound can be used. Only if QEMU_AUDIO_DRV=sdl.
SET SDL_AUDIODRIVER=dsound

REM QEMU_AUDIO_DRV=dsound or fmod or sdl or none can be used. See qemu -audio-help.
SET QEMU_AUDIO_DRV=dsound

REM QEMU_AUDIO_LOG_TO_MONITOR=1 displays log messages in QEMU monitor.
SET QEMU_AUDIO_LOG_TO_MONITOR=0

REM PCI-based PC(default): -M pc
REM ISA-based PC : -M isapc
REM -M isapc is added for NE2000 ISA card.

qemu.exe -L . -hda zerowine.img -boot c -m 1024 -redir tcp:8000::8000 -redir tcp:2022::22 -M pc
**************

but qemu crashed!!!

Regards,

Using VMWare instead of QEmu

Hi Keivan,

If you're experiencing problems with QEmu for Windows use VMWare instead. Convert the disk image using this guide.

Basically, you need to:

1.- Convert the image using this command:

qemu-img.exe convert c:\zerowine_vm\hda.img -O vmdk c:\zerowine_vm\zerowine.vmdk

2.- Create a new Virtual Machine in VMWare.
3.- Select the option "Use an existing disk" and select the newly created c:\zerowine_vm\zerowine.vmdk file.

Error

Hi:
See this error:
##
GRUB loading, please wait ...
Error 17
##

thanks,

You're right

It appears that the image is corrupted. I'm uploading a new one and will update the blog entry when finished (it will take a while).

Sorry!

I get the Error 17 too.

Include the MD5 of the image file so we can verify that it´s correct, please.

Upload a image

Hi,

Would it be possible that you uploaded that image? It would be easier for a lot of those, who are trying to set it up in a Vmware or VirtualBox.

Member of Comodo Malware Research Group

I followed the tutorial to

I followed the tutorial to get ZeroWine running under VMWare but no luck.

You wrote: "then use the following command
vi /etc/udev/rules.d/z25_persistent-net.rules"

vi is a text editor, so what do you pretend editing that file? You don´t explain it. Do you want we quit from vi without editing nothing?

You wrote: "If you don't know the ip of the host enter the command ifconfig eth0. This will give you the IP address of the virtual machine."

When I type "ifconfig eth0" I get a "device not found".

Why is that?

Errors

Yeah I am having problems with the converted VMWARE image. I was able to get the img file to run using QEmu, the only problem is that once I point to an executable and click submit to analyze the file, nothing ever happens.

Any ideas?

Also if someone that got the vmware converted image to work, can you please post steps on how you got it up and running.

Thanks for the help.

Network and VMWare

Sorry, the tutorial was wrote by someone else, not by me. Anyway, after converting the image from qcow format to vmdk you can use this vmx file:

$ cat zerowine-0.0.2.1.vmx
#!/usr/bin/vmware
config.version = "8"
virtualHW.version = "4"
scsi0.present = "TRUE"
scsi0.virtualDev = "lsilogic"
memsize = "1024"
scsi0:0.present = "FALSE"
scsi0:0.fileName = "Zerowine 0.0.2.vmdk"
scsi0:0.writeThrough = "TRUE"
ide1:0.present = "TRUE"
ide1:0.fileName = "/dev/scd0"
ide1:0.deviceType = "cdrom-raw"
floppy0.startConnected = "FALSE"
floppy0.fileName = "/dev/fd0"
Ethernet0.present = "TRUE"
Ethernet0.connectionType = "bridged"
displayName = "Zerowine 0.0.2"
guestOS = "other26xlinux"
priority.grabbed = "normal"
priority.ungrabbed = "normal"
powerType.powerOff = "hard"
powerType.powerOn = "hard"
powerType.suspend = "hard"
powerType.reset = "hard"

ide0:0.present = "TRUE"
ide0:0.fileName = "zerowine.vmdk"

ide0:0.redo = ""
ethernet0.addressType = "generated"
uuid.location = "56 4d 7f dc f3 0f ec fa-db 02 27 ef b9 d9 5b 55"
uuid.bios = "56 4d 7f dc f3 0f ec fa-db 02 27 ef b9 d9 5b 55"
ethernet0.generatedAddress = "00:0c:29:d9:5b:55"
ethernet0.generatedAddressOffset = "0"

And, if the networking doesn't work when booting, logging to the virtual machine with root/zerowine and run the command "dhclient".

Tell me if this works for you.

That configuration is for

That configuration is for VMWare Linux. I´m using VMWare for Windows at least.

I tried the configuration anyway and tried the dhclient and no way, it will not work.

You should write your own tutorial from scratch.

userdb update

Hi all:
Download updated userdb.txt with 4463 sig:
http://rapidshare.com/files/188610622/userdb.rar.html
how can i update this file?

Good Luck,

USERDB.txt

The userdb.txt file is located (inside the virtual machine's image) in the directory /home/malware/zerowine/.

I finally got the

I finally got the environment.

It was necessary the "dhclient" command and setting the network as "NAT" not "bridged".