Thanks for the effort. I have a own hacked wine over here, perhaps we could co-operate (ie: I'll submit the changes I got)? Can I find the ZeroWine source via CVS/SVN somewhere?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm currently hacking the Wine source code to make greater reports so, yes, I'm working on this feature. I think that I will release a new version in about a month or so. At least I hope to do so.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
To begin with we can just turn on WINEDEBUGLEVEL and grep for "interesting" system calls... Not as nice as commercial sandboxes, but hey: can't beat the price...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm adding new debug channel(s) for Wine patching the source code of the DLL's (and fixing some "potential" security problems...) and the results are very good. In example, the following is an extract of one report created with the new ultra-alpha version of Zerowine analyzing some chinesse malware:
0009:humanmalware:Running L"Z:\\home\\joxean\\tmp\\vir\\themida\\Backdoor.Bot.57444.exe"
0009:humanmalware:Opened file L"\\\\.\\SICE" for reading and writting
0009:humanmalware:Opened file L"\\\\.\\SIWVID" for reading and writting
0009:humanmalware:Opened file L"\\\\.\\NTICE" for reading and writting
0009:humanmalware:Trying to detect a debugger with a call to OutputDebugStringA("
"))
0009:humanmalware:Trying to detect a debugger calling IsDebuggerPresent
0009:humanmalware:Trying to detect a debugger calling CheckRemoteDebuggerPresent
0017:humanmalware:Trying to detect a debugger calling IsDebuggerPresent
So better results. Not as good as results from other commercial products, sure, but not to crypticals as the today's results.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
When I try to analyze some of my samples in the 0.02 QEMU image I don't get any sort of useful results at all. Not even PE information comes out right.
I am running it under Windows, but as it is a virtual machine it shouldn't make any difference, right?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Welcome to Open Discussion
Hi,
Thanks for the tool. I would like to login to the vm image.
What is the login id and password for the Image?
Thanks in advance!
Thanks for the effort. I have a own hacked wine over here, perhaps we could co-operate (ie: I'll submit the changes I got)? Can I find the ZeroWine source via CVS/SVN somewhere?
Sorry for the later response to both Dinesh and Michael.
@Dinesh,
The root's password for the Virtual Machine is 'zerowine'. You have also the user 'malware' with password 'malware'.
@Michael
Yes, of course. Why not? The source code for Zero Wine is here:
https://sourceforge.net/project/showfiles.php?group_id=248410&package_id=303323&release_id=649963
Thanks you!
Interesting tool, any way to make the results more clear?
Current results are somewhat cryptic.
Such as below: (borrowed from norman sandbox analyzer page)
D:VIRUSMYTEST.EX_ : W32/Backdoor
====> Sandbox output:
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Display message box (sample) : sample, te amo!.
* Display message box (KERN32) : KERN32, te amo!.
* File length: 58368 bytes.
* MD5 hash: 60a8d2e41147f48364e1eb3729ac53fb.
[ Changes to filesystem ]
* Deletes file C:WINDOWSSYSTEM32kern32.exe.
* Creates file C:WINDOWSSYSTEM32kern32.exe.
[ Changes to registry ]
* Creates key "HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce".
* Sets value "kernel32"="C:WINDOWSSYSTEM32kern32.exe -sys" in key "HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce".
[ Changes to system settings ]
* Creates WindowsHook monitoring keyboard activity.
[ Network services ]
* Connects to "200.223.3.130" on port 6667 (TCP).
* Connects to IRC server.
* IRC: Uses nickname CurrentUser[FRK][19].
* IRC: Uses username SErVERINO.
* IRC: Joins channel #Sl4cK_r0oT.
[ Process/window information ]
* Creates a mutex ZZM9H9YY.
* Creates a mutex SrVFrK.
I'm currently hacking the Wine source code to make greater reports so, yes, I'm working on this feature. I think that I will release a new version in about a month or so. At least I hope to do so.
To begin with we can just turn on WINEDEBUGLEVEL and grep for "interesting" system calls... Not as nice as commercial sandboxes, but hey: can't beat the price...
Hi @mboman
I'm adding new debug channel(s) for Wine patching the source code of the DLL's (and fixing some "potential" security problems...) and the results are very good. In example, the following is an extract of one report created with the new ultra-alpha version of Zerowine analyzing some chinesse malware:
0009:humanmalware:Running L"Z:\\home\\joxean\\tmp\\vir\\themida\\Backdoor.Bot.57444.exe"
0009:humanmalware:Opened file L"\\\\.\\SICE" for reading and writting
0009:humanmalware:Opened file L"\\\\.\\SIWVID" for reading and writting
0009:humanmalware:Opened file L"\\\\.\\NTICE" for reading and writting
0009:humanmalware:Trying to detect a debugger with a call to OutputDebugStringA("
%s------------------------------------------------
--- Themida Professional ---
--- (c)2007 Oreans Technologies ---
------------------------------------------------
"))
0009:humanmalware:Trying to detect a debugger calling IsDebuggerPresent
0009:humanmalware:Trying to detect a debugger calling CheckRemoteDebuggerPresent
0017:humanmalware:Trying to detect a debugger calling IsDebuggerPresent
So better results. Not as good as results from other commercial products, sure, but not to crypticals as the today's results.
Nice. Thanks for the great work.
When I try to analyze some of my samples in the 0.02 QEMU image I don't get any sort of useful results at all. Not even PE information comes out right.
I am running it under Windows, but as it is a virtual machine it shouldn't make any difference, right?
Hi mboman,
Sorry for the later response. What is the malware you're analyzing? What is the md5?
And, of course, the operating system doesn't matters at all.
Yes, the ${md5}.exe, like 1ed50972cdba7bda1d4a4655977e1072.exe
Hi,
I can't find the sample anywhere. Can you send me it privately (compress it with password)?