Oh the virtual world!

Rogue Antiviruses have come a long way from their simple User Interfaces and scare threats. Alpha Antivirus is a rogue application that comes with something more, which is how to make life of a virus analyst difficult.  The product comes with Virtual Machine protection which simply means that this malware cannot run on virtual environments commonly used by malware analyst for analyzing malware.

When executed on a virtual environment, this rogue will show a fake error message:

Fake Error

We decided to dig a little deeper, and loaded it into the debugger and have a look at the entry point.  :

Entry point

From its look, most likely this malware is packed/encrypted.  Then, we try to do hardware breakpoint at .bss section, because this section contains the original entrypoint.

Original ep

EDX value will contain the original entry point address.

EDX val

And this is the original entrypoint routine:

routine

As you see below it is an Anti-VM routine:

antivm

EAX contains a magic value of 0x564D5868 to detect VMWare present, which compares with the EBX register containing the similar value if the application is executed in the virtual environment. We can do the trick to bypass it by replacing the magic value:

bypass trick

And now we have been able to run this rogue application in the virtual environment. And no more fake error messages.

installer

This is one of many anti-debugging tricks, these rogue applications and other malicious applications are using to make themselves more sophisticated and harder to analyse. Emsisoft will , as always, make sure to tackle the difficulties and detect these malwares.