Tuesday, March 2, 2021

Your AV is Trying to Tell You Something: VBN's Part 2

From the previous post, we learned that there are three VBN record types. I want to start with record type 2 because this is what people think of when examining VBN's. Record type 2 VBN's consist of the following structures:

  • VBN Metadata
  • Quarantine Metadata (XORed with 0x5A)
  • Quarantine Hash (XORED with 0x5A)
  • Quarantine SDDL (XORed with 0x5A) *Optional
  • Unknown (XORed with 0xA5) *Optional
  • Quarantine Data (XORed with 0xA5) *Optional
  • Quarantine Attribute (XORed with 0xA5) *Optional
These VBN's contain quarantine files/data except if the malicious data was cleaned by deletion. Type 2 are by far, the hardest to extract data from. If we grab the first four bytes (Quarantine Metadata Header offset) from the VBN Metadata, this will bring us to the beginning of the Quarantine Metadata Header.





Quarantine Metadata

The Quarantine Metadata starts out with a header that contains the size of the Quarantine Metadata and the size from the end of the Quarantine Metadata to the end of the VBN. 







The Quarantine Metadata itself, appears to be in ASN.1 format. A series of tags are used to differentiate the size and type of data. 

















If we add together the Quarantine Metadata Header offset (from the VBN Metadata) and the QM Size Header Size together, we find ourselves at the next structure. What structure comes next depends on the tag. If it is 0x03, the Quarantine Hash structure is present. If it is 0x06, there is an unknown structure that appears to be a continuation of the Quarantine Metadata.

0x03 Quarantine Hash

The Quarantine Hash structure can contain the SHA1 hash and size of the quarantine data. This is all depends on the value of the second tag. If the value is 0x00, the hash will not be present and the VBN will end here. If it is 0x01, the hash and the rest of the fields will be present. If all fields are present in this structure, the next tag will either be 0x08 or 0x09. If the tag is 0x08, the Quarantine SDDL structure is present.

No hash data

Hash data

Quarantine SDDL

The Quarantine SDDL contains the security descriptor for the data that was quarantined and the size of  the quarantine data.























Unknown

If the Quarantine SDDL is not present, this structure will prepended the the quarantine data. I am unsure of what this structure represents at this time. The structure consists of a header, size of the unknown data, and the size of the data to follow.


















Quarantine Data

If the Quarantine SDDL is present, the Quarantine Data will come next, without the unknown data prepended to it. The Quarantine Data is broken into chunks of data XORed with A5 until there are no chunks left. If the unknown data was prepended to the Quarantine Data, the Attribute structure may follow.












Quarantine Attribute

The Quarantine Attribute structure holds any attributes associated with the data. I have come across $EA_INFORMATION, $OBJECT_ID, and $DATA stored in this structure so far.

$OBJECT_ID example




new 1

Record Type 2

Quarantine Metadata

Offset Length Field Description
0 8 QM Header Header is always 0000000000000000
8 8 QM Header Size Size, in bytes, of the QM header
16 8 QM Size Size, in bytes, of the QM
24 8 QM Size + Header Size Size, in bytes, of the QM and header
32 8 End of QM to End of VBN Size, in bytes, from end of QM to end of VBN
40 QM Size Quarntine Metadata Quarantine Metadata

The quarantine metadata appears to be in ASN.1 format. It is comprised of a series of tags.

ASN.1 Tags

Code Value Length Extra Data
0x01 1 None
0x0A 1 None
0x03 4 None
0x06 4 None
0x04 8 None
0x07 4 NUL-terminated ASCII String (of length controlled by dword following 0x07 code)
0x08 4 NUL-terminated Unicode String (of length controlled by dword following 0x08 code)
0x09 4 Container (of length controlled by dword following 0x09 code)
0x0F 16 None
0x10 16 None

The Tag determines what comes next.

0x03 Quarantine Hash

0x06 Unknown

Quarantine Hash

Offset Length Field Description
0 1 Tag1 0x03
1 4 Tag1 Value Tag1 Value
5 1 Tag2 Tag2
6 1 Tag2 Value Tag2 Value (value can be 0x00 or 0x01)
7 1 Tag3 (Optional) Tag3 (if Tag2 Value is 0x01, Tag3 is 0x08
8 4 SHA1 Hash Length (Optional) Length of SHA1 (if Tag3 is 0x08, data will be present)
12 SHA1 Hash Length SHA1 (Optional) SHA1 of quarantine data
94 1 Tag4 (Optional) Tag4, always 0x03
95 4 Tag4 Value (Optional) Tag4 Value
99 1 Tag5 (Optional) Tag5, always 0x03
100 4 Tag5 Value (Optional) Tag5 Value
104 1 Tag6 (Optional) Tag6, always 0x09
105 4 Quarantine Data Size Length (Optional) Length of quarantine data size
109 Quarantine Data Size Length Quarantine Data Size 2 (Optional) Size of quarantine data

Quarantine SDDL (Optional)

(may not be present)

Offset Lenght Field Description
0 1 Tag7 Tag7, always 0x08
1 4 Security Descriptor Size Variable length
5 Security Descriptor Size Security Descriptor Security descriptor of file
Varies 1 Tag8 Tag8
Varies 4 Tag8 Value Tag8 Value
Varies 1 Tag9 Tag9
Varies 8 Quarantine Data Size 3 Size of quarntine data

If the Quarantine SDDL tag is not present, there can be two additional structures included with the quarantine data.

Unknown (Optional)

If the Quarantine Data Size in VBN Metadata is Smaller than the Quarantine Data Size in Quarantine Info, this structure will be present.

Offset Lenght Field Description
0 1 Tag ASN.1 tag, 0x09
1 4 Chunk Size Variable length
5 8 Unknown Will require further investigation as to the purpose of this entry. (XORed with A5)
13 4 Unknown Data Size Size of unknown data (XORed with A5)
17 8 Unknown Will require further investigation as to the purpose of this entry. (XORed with A5)
25 Unknown Data Size Unknown Will require further investigation as to the purpose of this entry. (XORed with A5)
Varies 8 Unknown Will require further investigation as to the purpose of this entry. (XORed with A5)
Varies 4 Quarantine Data Size Size of quarantined data (XORed with A5)
Varies 8 Unknown Will require further investigation as to the purpose of this entry. (XORed with A5)
Varies Chunk Size Data Quarantine data (XORed with A5)

Quarantine Data (Optional)

The quarantine data is broken into chunks of data XORed with 0xA5. This continues until the last chunk divider.

Offset Lenght Field Description
0 1 Tag ASN.1 tag, 0x09
1 4 Chunk Size Variable length
5 Chunk Size Data Quarantine data (XORed with A5)

Attribute (Optional)

The followinf data is XORed with A5

Offset Lenght Field Description
Varies 8 Attribute Data Type (Optional) 0x02 = $EA, 0x04 = $DATA, 0x07 = $OBJECT_ID
Varies 8 Attribute Data Size (Optional) Size of attribute data
Varies 4 Attribute Name Size (Optional) Size of attribute name field
Varies Attribute Name Size Attribute Name (Optional) Name of attribute
Varies Attribute Data Size Attribute Data (Optional) Data, varies by type

The Unknown appears to be in ASN.1 format. It is comprised of a series of tags.

ASN.1 Tags

Code Value Length Extra Data
0x01 1 None
0x0A 1 None
0x03 4 None
0x06 4 None
0x04 8 None
0x07 4 NUL-terminated ASCII String (of length controlled by dword following 0x07 code)
0x08 4 NUL-terminated Unicode String (of length controlled by dword following 0x08 code)
0x09 4 Container (of length controlled by dword following 0x09 code)
0x0F 16 None
0x10 16 None
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)