This discussion is archived
5 Replies Latest reply: Dec 3, 2012 7:34 AM by rukbat RSS

New Multi-OS/CPU aware virus broke through virtualbox. For a reason.FYI

977138 Newbie
Currently Being Moderated
FYI (all)

Dear sir (RMS @ GNU),

my apologies. That e-mail concerned the embedding (secretly) of personal information during the make process of certain gnu software but there's a new developent and I'm extremely mad : I have been looking for ways to de-obscurify certain (gnu) Make processes. During my search I found a certain GITHUB repo that provided a way to do that. It was not "AO" but another... In reality it was a virus and/or a magic trigger that broke and destroyed All my systems in a manner of 2 hours or so.

It's a special case, methods used are not mentioned anywhere on internet. This one is multi-os aware and broke through a running virtualbox installation (I suppose via I/O hooks exploits yet unknown ). Both host and guest gets destroyed, independant of OS!

from what I have seen:
- the maker has somehow trojaned the Freedesktop.org desktop-daemon- input dbus helper software to gain and maintain root via init. Virtually everydebian based is thereby vulrenable.
- the maker has found a new way (unknown to every antivirus software) to gain Admin acces to windows system via lowlevel IO and/or abused "signed drivers" - and mmaps itselfs there to propagate..
- the virus broke through running virtualbox installations (latest installation, new installations, old VDI's) and they got all destroyed, first guest and hours or days later both host and guest installations.... also new.
- the virus injects itself on every network IF / download / and propagates on installation (triggered) within the virtualbox installation. This happens on the host too, but hours later.
- it eventually kills every document on every OS by spawning hundreds of processes to kill documents (overwrite, move, symlink)

The strange thing about this, is that GNU sources / software like the sourcecode for GLIBC and GCC was left alone! Because of that and the mentioning of GNU on that repo I contacted GNU. On my windows system there was even a special message "Thanks to Freedesktop and embedded Ruby".

The virus was obviously not meant for worldwide propagation but to target a certain audience (I suppose people like me), it's been engineered beyond belief and I triggered it somehow. In order to clean my system I tried a ISO/USB boot from AVG (linux based.) I booted from that USB and it got infected upon scanning... amazing.!!

Anyhow.. sorry to have bothered you.

Regards,

To microsoft: Windows : is trojaned via virtualbox Usb I/O and/or other lowlevel I/O trickery. Obviously new methods are used, hard to reproduce and I can only mention a few details : virtualbox breakage like this is not yet mentioned anywhere and no admin priviledges are needed to reproduce. this "virus" has no signature known to clamav/kaspersky/mssc/avg/macafee. New exploits are obviously used, unknown and/or used in a similar manner. Microsoft should investigate this on their own.

To FreeDesktop DBUS daemon: has been abused (and this darn thing is used in many debian based INIT scripts etc, in order to gain and maintain root (or worse). There was a note left on my system "thanks to freedesktop and embedded...": every Linux instance, new or old (2.6 to 3.2xxx was infected immediately). FreeDesktop: I *** your** because similar trickery is mentioned since 2009.

To certain people at Debian: thanks for not taking me seriously or even understand what you are doing. Clueless.

To Oracle: Every HOST that mounts an infected VDI, gets infected immediately upon boot. Or the other way around: upon scanning the filesystem. The scanning OS itself gets trojaned (reproduced via multiple USB installations/Gpart ISO, AVG iso) and gets destroyed . Even within virtualbox ..... the ISO grows to hunderds of gigs. Virtually. I suppose it's hooked via USB transport to gain accces over keyboard and mouse. In fact it doent matter what OS is used, the killing process is "universal" because it happens within the hooked kernelspace.

To reproduce : I cannot give much details and its hard to traceback or reconstuct the order of events but I wanted to look for a way to de-obscurify a certain gnu-make process (in particular a piece of GNU software (for ..keys) from which I suspected to embed privacy information about the user and this software is used on virtually every OS and in many software packages as building block. And I certainly found one. I guess some magic 0xUL that passed my system or action I did -triggered this OS independant chainreaction or "OSkiller" process. I should have suspected this.. well. Even github trickery was (AB)used ~/.git / gitprocesses are used for some reason because every new download got the "make" process treatment instantly. Tricks to use parts of sha1 signatures (actually the gitters identification. Some people are aware of these methods and are abusing this system, not to "watermark" but to pull off this kind of work?

The result: all my virtual Linux / Freebsd VDI/VMDK installations were completely destroyed within a manner of minutes and later the host (windows7, regular update cycle, well maintained and secured) too. It was hard to traceback and/or/try forensics because the host got infected too -- obviously no way to sandbox. (maybe I'm not clever enough). Mounting from another OS is killing that OS too. Amazing. The reason I wanted to traceback or mount a certain partition was because it contained my work on my research. I had backups (even incremental) of some instances and they all got destroyed too (unaware of the systemhooks that were luring for the magic).

Reproducable? Yes. But hard to pull off and therefore I suppose this "virus" is not meant to propagate worldwide but targetted at a certain audience. The maker(s) has/have deep profound knowledge of windows internals, virtualbox exploits,, linux exploits, methods not seen by any anti-vir software I got running. It means there's a whole bunch of multi-os exploits, application exploits, not used or mentioned anywhere, bundled in a well prepared trap for anyone who gets the magic. I still have the infected VDI's. cannot tell if they are completely destroyed because I dare not mount it in ANY way. (I tried virtually every way possible!!!!!). Forensics could do some work on the raw material.

Here's a brief list of software that must have already been trojaned / to kill the running OS's (on host/guest) of a target:
- "nonfree" linux-firmware. Certain IO/dev (dbus?) userspace layers (linux)
- linux or windows virtualbox guest addition(s): CERTAIN debian updates (* triggers the killing process). Especially the RE-make of IO kernelmods process caused a chainreaction in one case. The maker(s) did some magic there because one should assume that KERNEL code is well maintained (like Theo.d.r. does :-) )
- (gnu) remake processes of kernel mods (RT/Pre-emt) -> guest additions. I could only reproduce this a few times because my host got killed.
- github trickery....
- techniques: callbacks via IO hooks on both HID and available network devices and injects itself via sockets (because every download was infected)
- I suppose no known shellcode was used or not recognised. Every virusscanner that I got running got killed and infected upon scan, both windows and linux based, clamav and AVG mssc, macafee, kaspersky etc etc. Even a simple mount gets a host killed. Amazing.

and all of this must have been "packaged" for a special occasion? Its profoundly layered, multi-disciplined and networked (I guess there are more related triggers to this network) and this OS killer must have been ready or "waiting" for months, none of the exploits I've witnessed are mentioned on internet or have been used on seperate occasions (except for the dbus trickery: there have been rumors but no real actions by ubuntu or debian etc etc). All these multi-cpu/os/software exploits (means transports) events that happened on my systems, both metal and virtual, are not mentioned anywhere or seperately used on other occasions or else someone would have mentioned it? Even the slightest kernel breakage or trojaned kernel in this respect should gained prestige for certain w/b hat hackers. This is beyond belief. The guest/host breakage is amazing, multi-os and the killer does its work profoundly.

- so oracle can deal with this virtualbox breakage from host to guest and vice versa
- linus gets his multi-OS io / kernelspace breakage, kills of every mount or gets triggered by even mmapping.
- microsoft no idea.... no blame this should have been recognised within the security framework, but there's obviously not yet a signature known.

I don't know if I should call this a virus. It uses virus-like techniques but on so many levels happening at once. I dont think oracle or microsoft or linux / freebsd /solaris is targetted. It looks like a well contained (only propagating on the host/guest, even socks are targetted only at localhost) - trap, the killing process is very persistant and for a reason. If this was used in a network-propagating carrier virus it should raise a Major worldwide alert. I think this unknown network of suddenly revealed exploits are means to immediatly shutdown/completely kill the running system(s) of a certain audience (like me). It's like a network and eventually a killswitch, a "destroyer" which I happened to trigger while I was investigating some things concerning privacy issues (in fact building blocks for signing of public keys). This message should raise some questions.

And about that github repo. It's not AO.

Thats all folks.

0X
  • 1. Re: New Multi-OS/CPU aware virus broke through virtualbox. For a reason.FYI
    rukbat Guru Moderator
    Currently Being Moderated
    .. an interesting rant.

    What you expect the user community to do for you?
    These forums are NOT a way to contact Oracle nor Virtualbox.Org, so if that was your hope you guessed wrong.

    Your forum profile:
    Chargen           Newbie

    Handle:      Chargen
    Status Level:      Newbie
    Registered:      Nov 29, 2012
    Total Posts:      1
    Total Questions:      1 (1 unresolved)
    Name      Permutate_x0
    Location      *127.1*
    Occupation      daemonkiller
    .

    Edited by: rukbat on Nov 30, 2012 7:55 AM
    Added details of forum profile.
  • 2. Re: New Multi-OS/CPU aware virus broke through virtualbox. For a reason.FYI
    BillyVerreynne Oracle ACE
    Currently Being Moderated
    Not a single shred of real evidence provided. Only your speculation and assumptions about what you think happened.

    That is not good enough. For all we know, you could just as well have destroyed your guest and host systems yourself through ignorance and misconceptions.

    Also, you are claiming sophisticated 0-day exploits using an attack vector that requires one to download source code and make (build) it.

    Why such a sophisticated attack on such a specialised action that 99.9999% of users will NEVER do?
  • 3. Re: New Multi-OS/CPU aware virus broke through virtualbox. For a reason.FYI
    Dude! Guru
    Currently Being Moderated
    Sounds like you have a computer with a hardware defect.
  • 4. Re: New Multi-OS/CPU aware virus broke through virtualbox. For a reason.FYI
    977639 Newbie
    Currently Being Moderated
    We would really like to debug your problem but the provided information is not sufficient and very hard to parse. A few questions:
    - Which version of VirtualBox are you using?
    - What host systems did you use to test, only Windows 7 or also other systems?
    - Did you try to use an infected .vdi disk with a fresh installation of VirtualBox on a fresh host?
    - Which guest is affected (exact version please)?
    - You report that even your host will be infected (breaking through from a VirtualBox guest to a host). Did you do scan your host for viruses before you started your guest so you can be 100% sure that your host was clean before it was infected by the guest?
    - When scanning the infected system with a Linux-based virus scanner: Did the scan report any problems? If so, which? And did you consider to use a virus scanner on a read-only boot medium? In the latter case it is impossible that the virus scanner gets infected.

    I would appreciate if you could answer these questions, there could be more questions once I have the answers to these. But please, try to be precise and short when answering the questions.
  • 5. Re: New Multi-OS/CPU aware virus broke through virtualbox. For a reason.FYI
    rukbat Guru Moderator
    Currently Being Moderated
    Moderator Action:
    Virtualbox discussions are outside the scope of these OTN forums.
    Handle:      Permutate_x0
    Status Level:      Newbie
    Registered:      Nov 29, 2012
    Total Posts:      1
    Total Questions:      1 (1 unresolved)
    Name      Permutate_x0
    Location      127.1
    Occupation      daemonkiller
    This trolled thread is locked.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points