Mac-address-virtualization-detection

From aldeid
Jump to navigation Jump to search

Description

The first three bytes of a MAC address are typically specific to the vendor. A public list is available here: http://standards-oui.ieee.org/oui.txt.

Malware can use this technique to determine if it is run inside VMware: 

$ wget http://standards-oui.ieee.org/oui.txt
$ grep "00-0C-29" oui.txt
 00-0C-29   (hex)		VMware, Inc.

Below are some more examples of the 3 first bytes associated to VMware: 

$ egrep "\(hex\)\s+VMware" oui.txt 
  00-05-69   (hex)		VMware, Inc.
  00-0C-29   (hex)		VMware, Inc.
  00-1C-14   (hex)		VMware, Inc
  00-50-56   (hex)		VMware, Inc.

Example

Below is a full example that shows how malware can get the 3 first bytes of a mac address to determine whether it corresponds to VMware. This example is an extract from Lab17-03 from the "Practical Malware Analysis" book.

GetAdaptersInfo

First of all, an array of possible VMware related mac addresses is built (items will be grouped by 3: {00h,50h,56h}, {00h,0Ch,29h}, ...) and GetAdaptersInfo is called with a NULL pointer (pAdapterInfo). This is a technique that will generate an error (ERROR_BUFFER_OVERFLOW) but will fill dwBytes with the number of bytes to be allocated.

The bytes are then allocated with GetProcessHeap and HeapAlloc. GetAdaptersInfo is then called a second time, but this time, with the correct parameters:

After the call to GetAdaptersInfo_Address, the lpMem parameter is a pointer to a linked list of IP_ADAPTER_INFO structures with a size of dwBytes.

The malware is then cycling through the network interfaces:

Then the malware is checking whether the first 3 bytes of the mac address are found in the array corresponding to the VMware vendor. 

.text:004017CC                 jmp     short loc_4017D7
.text:004017CE ; ---------------------------------------------------------------------------
.text:004017CE
.text:004017CE loc_4017CE:
.text:004017CE                 mov     edx, [ebp+var_3C]
.text:004017D1                 add     edx, 3 ; groups of 3 items in the array
.text:004017D4                 mov     [ebp+var_3C], edx
.text:004017D7
.text:004017D7 loc_4017D7:
.text:004017D7                 cmp     [ebp+var_3C], 1Bh ; Cycle thru 27 items of array
.text:004017DB                 jnb     short loc_401816
.text:004017DD                 mov     ecx, 3
.text:004017E2                 mov     eax, [ebp+var_3C]
.text:004017E5                 lea     edi, [ebp+eax+ByteArray]
.text:004017E9                 mov     esi, [ebp+lpMem]
.text:004017EC                 add     esi, IP_ADAPTER_INFO.Address
.text:004017F2                 xor     edx, edx
.text:004017F4                 repe cmpsb
.text:004017F6                 jnz     short loc_401814
Retrieved from "https://www.aldeid.com/w/index.php?title=Mac-address-virtualization-detection&oldid=30910"