Introduction
Throughout the past few months, FireEye Labs has observed an increased use of Windows Management Instrumentation (WMI) queries for environment detection and evasion of dynamic analysis and virtualization engines. WMI provides high-level interaction with Windows objects using C/C++, VBScript, JScript, C#, etc. in the form of WMI Query Language (WQL). Last year, FireEye published a white paper detailing an in-depth analysis of WMI infrastructure and potential abuses of WMI services by malware writers.
In this post we will present an analysis of some samples found in the wild in 2016. For the purposes of this blog post, we will focus on evasion only, ignoring other malicious aspects of the samples.
Evasion after Anti-Virus Detection
Anti-virus can be detected by a WMI query as they are registered in AntiVirusProduct class under root\SecurityCenter2 (root\SecurityCenter before Vista) namespace. We analyzed a sample that checked the operating system from Win32_OperatingSystem class under root\cimv2 namespace first and if the OS version was above 6 (Windows Vista and above), then anti-virus check was performed. Figure 1 shows the VBScript code of anti-virus check.
Figure 1: Anti-virus product checks in VBScript code using WMI query
Anti-virus and other user information is sent to the server for fetching the right payload or performing evasion, as shown in Figure 2.
Figure 2: Anti-virus and other info being sent to the server and actions against response
Virtualization Detection and Evasions
One of the samples was found to monitor many security products using different techniques, but most popular virtualization software (such as VMware and VirtualBox) was being detected using WMI queries. It retrieves BIOS information from Win32_BIOS class under root\cimv2 namespace. Specific fields/columns can also be retrieved similar to an SQL query. The following queries were found in this sample binary (Figure 3).
Figure 3: Virtualization software checks by the malware using WMI queries
The query yields the following result when executed in PowerShell in Bochs Emulator, as shown in Figure 4.
Figure 4: Query result in PowerShell in Bochs Emulator
Figure 5 shows the full scale environment detection being performed by this sample. Other services may be checked by populating the running processes or using Windows Registry.
Figure 5: Security products being monitored by the malware
Another sample used Win32_ComputerSystem class for virtual machines detection, as show in Figure 6. The result of the query (Figure 9) has ’Model’ field (Figure 7), which holds the virtual machine information in case of VMware, VirtualBox and Virtual Machine.
Figure 6: ComputerSystem WMI query found in the sample
Figure 7: Model column retrieval
When any of the three strings matched with ‘Model’ field output, virtualization gets detected by matching the stored value with the one created in the process, as evident in Figure 8.
Figure 8: VirtualBox, VMware and Virtual Machine checks
When the aforementioned query was executed in PowerShell in VMware workstation 12.0, it gave the result illustrated in Figure 9.
Figure 9: Query result in PowerShell 2.0
Another sample used Win32_VideoController and Win32_DiskDrive classes to detect virtual environments. Figure 10 shows the WMI queries found in the text section of this sample along with process names of VMware, Wireshark, Fiddler and other security products, which are also being checked before execution of WMI queries.
Figure 10: WMI queries found in the text section of the sample
The WMI query in Figure 10 has been highlighted in the code section in Figure 11. When executed in PowerShell (Figure 12) it reveals a wealth of information through which virtual machines can easily be detected, as VMware is being detected in Figure 11.
Figure 11: WMI query in the code
Figure 12: WMI query, to get Video Controller information, result when executed in PowerShell
The same sample has used Win32_DiskDrive to detect VirtualBox (Figure 13), Virtual Hard disk (Figure 14) and VMware (Figure 15). When any of the virtual machines are detected, the process terminates itself, evading the behavioral analysis.
Figure 13: VirtualBox detection
Figure 14: Virtual Hard disk detection
Figure 15: VMware detection
Process Detection
We analyzed a sample that not only checked a specific process from Win32_Process class under namespace root\cimv2, but also killed it. Immunity debugger, a well-known debugger, is terminated and its folder is deleted after changing permissions using Windows Script Host shell, as evident in the code in Figure 16.
Figure 16: Immunity debugger being killed and folder being deleted
Moreover, anti-virus vendor Kingsoft Corporation’s processes are also forced to stop execution, meaning its anti-virus processes are being killed. The code is shown in Figure 17. Usually samples use CreateToolHelp32Snapshot, Process32First and Process32Next APIs for finding a process, but here it is evident that one WMI query comes in handy to replace tens of lines of code.
Figure 17. Code designed to kill processes associated with Kingsoft (an anti-virus product company)
Windows Services Detection
Another sample, an MS Office key generator, checked Windows Office Software Protection Service through WMI queries (Figure 18). This service enables software vendors to enforce secure licensing on the client machines. If this service is not running, it is started as shown in Figure 19. Once Office Software Protection Service object is retrieved, it is then used to install MS Office product key.
Figure 18: Office Software Protection Service check using WMI query
Figure 19: Code to start/restart Office Software Protection Service
Summary
During analysis and research, it has been observed that WMI queries, shown in Figure 20, can be used for environment detection and (with more details) for evasion as well. There may be more queries that are not listed in Figure 20, but we suggest security researchers should at least monitor the listed queries for evaluating the samples.
Figure 20: Possible WMI queries for environment detection
Conclusion
Malware writers are always in search of new ways to evade analysis frameworks and sandboxes to make the payload execution successful in their targeted environments and platforms. WMI provides a simple way of environment detection that can be used to evade sandboxes and dynamic analysis tools, which seem to be underestimated by reverse engineers and others in the security community. Mitigation steps should be taken to monitor WMI queries that could lead to possible evasion.
Acknowledgements
We would like to thank Matthew Dunwoody for his valuable input. Moreover, we are also grateful to Muhammad Umer Khan and Imran Khan for their continuous support in providing relevant sample sets and validation effort.