View
217
Download
0
Category
Preview:
Citation preview
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
Yosuke Chubachi and Kenji Aiko FFRI, Inc.
SLIME: AUTOMATED ANTI-‐SANDBOXING DISARMAMENT SYSTEM
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style About us
2
He is a security engineer at FFRI, Inc. since last spring. He studied at the graduate school of informaGon system engineering, University of Tsukuba. He is a Security Camp lecturer and a member of execuGve commiIee of SECCON since 2012.
He is a programmer at FFRI, Inc., and is a one of the developers of "FFR yarai" which is a targeted aIack protecGon so8ware. He is a Security Camp lecturer and a member of execuGve commiIee of SECCON since 2012.
Yosuke Chubachi
Kenji Aiko
March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• Background and MoGvaGon • State of the Art of AnG-‐sandboxing • SLIME Design and ImplementaGon • Disarming Real Malware • Experiments • Conclusion
Contents
3 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
Background and Mo/va/on
March 27, 2015 4
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• Malware explosion — 120,000,000 over in 2014
• AnGvirus is dead…?
Background
5
AV Test: StaGsGcs –New Malware-‐ (Nov. 05 2014 viewed) hIp://www.av-‐test.org/en/staGsGcs/malware/
March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• “Scalability” is most important factor in informaGon explosion era — Cloud — Bigdata — IoT
• Malware analysis also needs “scalable” methodology
We need dynamic and automated malware analysis
6 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• Security engineer and researcher use sandbox environment for malware analyzing
• Automated dynamic analysis technology also based on VM/applicaGon sandbox
“Use the sandbox, Luke”
7 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• SophisGcated malware arms many anti-‐‑‒analyze techniques• Naturally using targeted attacks, cyber espionage, banking malware
• Researchers called those malware “evasive malware”
Malware strike back
8 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• BareCloud [Dhilung K et al., USENIX SEC’14] — “5,835 evasive malware out of 110,005 recent
samples”
• Prevalent CharacterisGcs in Modern Malware [Gabriel et al., BH USA ‘14] — “80% malware detect vmware using backdoor
port”
Related work
9
What do you think?
March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• InvesGgaGng into a condiGon used by sandbox evasion automaGcally for select right sandbox using invesGgated condiGons
Mo/va/on
10 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• Incorporable and standalone — Because we are developing
anG virus applicaGon
Challenges
11 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
State of the Art of An/-‐sandboxing
March 27, 2015 12
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• CyberGate (RAT) • Chthonic (Online Banking Malware)
State-‐of-‐the-‐art an/-‐sandboxing
13 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• Popular RAT tools • CyberGate can generates remote
access server for targeGng host • AnG-‐sandbox opGon enabled
CyberGate
14 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style CyberGate
15 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style An/-‐sandboxing are generated by CyberGate
16 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• Banking trojan subspecies of ZeuS Family
• Chthonic downloader injects malicious code into msiexec.exe
• Also downloader changes its behavior if runs on sandbox or virtual machines
Chthonic
See also: hIps://securelist.com/blog/virus-‐watch/68176/chthonic-‐a-‐new-‐modificaGon-‐of-‐zeus/
17 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style Chthonic
Calling many vm/sandbox detecGon
18 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• Finding vm/sandbox arGfacts — \\.\HGFS , \\.\VBoxGuest, \\.\vmci and \\.\Wine — sbie.dll
• Similar “Citadel” — Citadel also finding vm/sandbox arGfacts
Chthonic an/-‐sandboxing
19 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• AnG-‐sandbox maneuver ü Environment awareness
• Using result of vm/sandbox detecGon • Host fingerprinGng
p (Stalling code) p (User/Network interacGon checks)
Type of anti-sandbox
20 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• Checking host environments • If malware runs decoy rouGne or exit
itself then it detects analyzer’s sign — Malicious behavior never executed
21
Initialization(unpack)
Sandbox(incl. VM)Detection
Maliciousroutine
Decoyroutine
If running on an analyzing environment
Environment awareness
March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
ü ArGfact fingerprinGng ü ExecuGon environment fingerprinGng p (ExecuGon Gming detecGon)
Sandbox (debug/sandbox/vm) detec/on
22 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style Sandbox (debug/sandbox/vm) detection
23
Host
Environment aware Malware
VM related
Artifacts
Sandbox specificArtifacts
VMM?
Execution EnvironmentFingerprinting
Artifact Finger-printing
Execution Timing Detection
March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• Sandbox/VM environment specific files
• Sandbox/VM environment specific registry keys
• Sandbox/VM environment specific devices and its aIributes — ex). QEMU HDD vendor name
• Sandbox/VM Specific I/O port — VMWare backdoor port is most famous arGfact in malware
• Sandbox/VM related processes — Like vmware, virtualbox etc.
Artifact fingerprinting
24 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• Using virtual machine implementaGon specific plauorm value and reacGon — CPUID instrucGon result — Redpill
• Using LDT/GDT and IDT incongruousness
— InteresGng research here: Cardinal Pill TesGng
Execution environment fingerprinting
25 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• Using clock count differenGal — TradiGonal anG-‐debug technique
Execution timing detection
26
Comparing TSC differentials
March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
SLIME: Design and Implementa/on
March 27, 2015 27
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• Malware palpaGon • Code execuGon integrity(CEI) • RetroacGve condiGon analysis
SLIME key technologies
28 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
1. Our sandbox runs malware again and again — Changing “virtual” arGfacts exposure
each execuGon for execuGon branch detecGon
2. RetroacGve condiGon analysis — Specifying “branch condiGon” on
unnatural process terminaGon
Concept: malware palpa/on
29 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style • SLIME Sandbox fakes different
sandbox-‐related arGfacts each malware execuGon — DetecGng execuGon difference using
code execuGon integrity(CEI)
Malware palpa/on
30
user-‐space kernel-‐space
Runtime & Libraries
SLIME (vmware faking)
vmmouse.sys
API emulator faking
user-‐space kernel-‐space
Runtime & Libraries
SLIME
Malware (fist execution)
API emulator Not found
Malware (second execution)
CreateFile(…) CreateFile(…)
March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• CEI shows uniqueness of instrucGon execuGon history — Inspired by TPM trust chaining
• “measurement” per instrucGon
Code Execu/on Integrity(CEI)
31
Digest[i] = SHA1( fetched CPU instrucGon + Digest[i-‐1] )
mov $0x616b6157, %eax push %ebx push %eax mov $4, %edx mov $1, %ebx
0xb857616b61 0x53 0x50 0xba04000000 0xbb01000000
d[0] = SHA1(0xb857616b61) d[1] = SHA1(d[0] + 0x53) d[2] = SHA1(d[1] + 0x50) d[3] = SHA1(d[2] +0xba04000000) ...
March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• Using execuGon step count and code execuGon integrity(CEI) value
Execu/on branch detec/on
32
in eax, dx cmp ebx, 0x564D5868h
jne NOTVMX jmp ISVMX NOTVMX: mov rc, 0 jmp done ISVMX: mov rc, eax
jmp done
CEI[0]1 CEI[1]1
CEI[2]1
CEI[3]1
CEI[4]1
CEI[0]2
CEI[1]2 CEI[2]2
CEI[3]2
CEI[4]2
CEI[5]2
March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• Sandbox retroacGve from terminaGon to terminated reason API and arguments when suspicious terminaGon — Only a few steps
execuGons — To terminate before
network acGviGes
Retroac/ve condi/on analysis
33
sub esp, 1024 mov ebx, esp push 400h push ebx push 0h
call GetModuleFileNameA lea eax, MyPath push eax push ebx
call lstrcmpA test eax, eax push 0h lea eax, MsgCapGon push eax jz _ok lea eax, NGMsgText push eax push 0h call MessageBoxA invoke ExitProcess, NULL
_ok: lea eax, OKMsgText
March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• We have already CPU Emulator-‐based sandbox for win32 execuGon (in-‐house use) — Like IDA Bochs PE operaGon mode[11]
Implementa/on
Host
Runtime & Libraries
CPU Emulator FILE’ HEAP’
Runtime & Libraries (Virtualized)
Target’Process
MemoryContext’
ExecutionContext’
34 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• SLIME logs instrucGon per execuGon — Tracing specific API call and its
arguments for RetroacGve condiGon analysis • lstrcmpi, strcmp, GetModuleFileName, …
• Code execuGon integrity calculaGon per execuGon — For execuGon branch detecGon
Execu/on logging framework
35 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• VMWare — Camouflaging backdoor port,
some registry entry and files
• VirtualBox — Some registry entry and files
• QEMU — some registry entry and files
• Sandbox — Anubis — Sandboxie — ThreatExpert
Camouflaging VM/sandbox related ar/fact existence
36 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
Disarming Real Malware
March 27, 2015 37
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style Disarming demo
38 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style An/-‐VMWare
SHA256: C1A7E51E5E2F94193D6E17937B28155D0F121207
39 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style Detect sandbox evasion
SHA256: 39517A057CC4A1AE34E786873C8010291A33BAB7
40 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
Experiments
March 27, 2015 41
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• Trying to disarm 89,119 malware — Collected in one year
(2014/01/01-‐2014/12/31) — Original data amounts: 5,244,297 — Random sampling — Filtered in PE(32bit) and loadable our sandbox
Dataset
42 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style Results
An/-‐Sandbox Type Count
DetecGng VMWare 63
DetecGng VirtualBox 70
DetecGng QEMU 84
DetecGng Sandbox (sbie.dll and dbghelp.dll)
11,102
Evasive Malware 36
* Throughput: 6 malware per minites
43 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• We guess that more AnG-‐VM malware exists in this dataset CPU — Because our CPU emulator coverage is
not enough to run malware • Original sandbox was developed for
unpacking
Are An/-‐VM Too Few?
44 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style O\opic: Ar/fact finding by Yara An/-‐Sandbox Type Count
Found VMWare Signature 11,029
Found VirtualBox Signature 530
Found QEMU Signature 247
Sandbox detecGon 235
An/-‐Sandbox Type Count
Found VMWare Signature 10,985
Found VirtualBox Signature 142
Found QEMU Signature 127
Sandbox detecGon 221
Using customized AnG-‐VM rules@YaraRules
Using SLIME implemented arGfact only
45 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• No — The proporGon of AnG-‐VM armed
malware is low in the wild — AnG-‐VM acGvity is one of method of
black list avoiding
Can Virtual Machine Protects You from Malware?
46 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• No! — Many anG-‐sandboxing founds before
malicious behavior such as suspicious download or code injecGon
— If you do not pay aIenGon, you will be miss significant threat
Can I Ignore An/-‐Sandboxing?
47 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style
• SLIME can invesGgate into a condiGon used by sandbox evasion automaGcally
• The proporGon of anG-‐VM armed malware is low in the wild
• However, there is no doubt that sophisGcated malware o8en uses anG-‐sandboxing
Conclusion
48 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style • Analyzing Environment-Aware Malware, Lastline, 2014.05.25(viewed)
http://labs.lastline.com/analyzing-environment-aware-malware-a-look-at-zeus-trojan-variant-called-citadel-evading-traditional-sandboxes • Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. 2011. Detecting environment-sensitive malware. In Proceedings of the
14th international conference on Recent Advances in Intrusion Detection (RAID'11). Springer-Verlag, Berlin, Heidelberg, 338-357. • lemens Kolbitsch, Engin Kirda, and Christopher Kruegel. 2011. The power of procrastination: detection and mitigation of execution-stalling
malicious code. In Proceedings of the 18th ACM conference on Computer and communications security (CCS '11). ACM, New York, NY, USA, 285-296.
• Min Gyung Kang, Heng Yin, Steve Hanna, Stephen McCamant, and Dawn Song. 2009. Emulating emulation-resistant malware. In Proceedings of the 1st ACM workshop on Virtual machine security (VMSec '09). ACM, New York, NY, USA, 11-22.
• Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. Barecloud: bare-metal analysis-based evasive malware detection. In Proceedings of the 23rd USENIX conference on Security Symposium (SEC'14). USENIX Association, Berkeley, CA, USA, 287-301.
• Ulrich Bayer, Imam Habibi, Davide Balzarotti, Engin Kirda, and Christopher Kruegel. 2009. A view on current malware behaviors. In Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more (LEET'09). USENIX Association, Berkeley, CA, USA, 8-8.
• Aurélien Wailly. Malware vs Virtualization The endless cat and mouse play, 2014.05.25(viewed) http://aurelien.wail.ly/publications/hip-2013-slides.html
• Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. Testing CPU emulators. In Proceedings of the eighteenth international symposium on Software testing and analysis (ISSTA '09). ACM, New York, NY, USA, 261-272.
• Hao Shi, Abdulla Alwabel and Jelena Mirkovic. 2014. Cardinal Pill Testing of System Virtual Machines. In Proceedings of the 23rd USENIX conference on Security Symposium (SEC'14). USENIX Association, Berkeley, CA, USA,271-285.
• Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2010. Testing system virtual machines. In Proceedings of the 19th international symposium on Software testing and analysis (ISSTA '10). ACM, New York, NY, USA, 171-182.
• IDA Boch PE operation mode https://www.hex-rays.com/products/ida/support/idadoc/1332.shtml
Bibliography
49 March 27, 2015
• Click to edit Master text styles — Second level
• Third level — Fourth level
» Fi8h level
Click to edit Master /tle style Fin.
50 March 27, 2015
Recommended