View
43
Download
1
Category
Tags:
Preview:
Citation preview
Anti-Sandbox Malware tricks
Your speakers today
Nick Bilogorskiy@belogor
Director of Security Research
Shelendra SharmaProduct Marketing Director
Agenda
o Introduction to Sandboxingo How Malware breaks sandboxeso Wrap-up and Q&A
Cyph
ort L
abs
T-sh
irt
Threat Monitoring & Research team
________
24X7 monitoring for malware events
________
Assist customers with their Forensics and Incident Response
We enhance malware detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the security ecosystem
________
Contribute to and learn from malware KB
________
Best of 3rd Party threat data
What is a sandbox
o Sandbox is a instrumented detonation environment, where malware can be run and observed, but will not cause harm to the actual system.
o Sandboxes are used for dynamic malware analysis and behavior based detection
o Sandboxing is a NECESSARY but NOT SUFFICIENT condition for effective behavior detection
Norman Sandbox
Anubis
JoeBox
Sandbox History
2003
2006
2007
ThreatExpert2008
Cuckoo2010
What is a sandbox
Methods of Analysis in Sandboxes
o User hooks - a software component is installed within the guest OS and reports all user-based activity to the trace handler (keylogger).
o Kernel hooks – The kernel of the guest OS is modified to accommodate tracing requirements (rootkit).
o System emulation – A hardware emulator is modified to hook appropriate memory, disk IO functions and peripherals (etc.) and report activities
Use of Sandboxes
1. Simplify malware research : show traces
2. Automated behavior based malware detection : add analytics
Breaking Sandboxes
Anti-Sandboxing
o 1 Detecting Virtualizationo 2 Detecting presence of a live user (Turing test)o 3 Detecting hooking or exploiting sandbox limitations
o Just like packers became effective to fight signature based AV,
evasion and armoring are bypassing rudimentary sandboxes
How much malware can detect Virtual Machines
Source: Antiy Labs
How much malware can detect Virtual Machines
Source: Qualys Labs
o VMWare can be detected via Registry:
o Virtualbox can be detected via Registry:
HKLM\HARDWARE\Description\System "SystemBiosVersion"HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
Detect Virtualization via Registry check
PAFISH - (Paranoid Fish) - github.com/a0rtega/pafish
Poll question
How many of the 5 sandboxes I mentioned earlier (Cuckoo, GFI, JoeSandbox, Comodo, ThreatExpert) can be detected by PAFISH (Paranoid Fish)?
None1234All of them
PAFISH detects all
Detecting Virtualization
o Check if disk size is less than 50GB
Pafish code
Detecting Virtualization
o Check if the disk is called “VBOX ”
Pafish code
http://pastebin.com/u/waliedassar
Detecting VMWare
o IO Virtualization, IN instruction
Detecting Virtualization by Timing
Redpill IDTR (Interrupt Descriptor Table Register)
Detect Environment: MAC Address
o 00:05:69:xx:xx:xx VMwareo 00:0C:29:xx:xx:xx VMwareo 00:1C:14:xx:xx:xx VMwareo 00:50:56:xx:xx:xx VMwareo 00:15:5D:xx:xx:xx Hyper Vo 00:16:3e:xx:xx:xx Xen
Source: Paul Jung, Bypassing Sanboxes for fun
Buy it – use a ready made anti-vm tool
Detecting Virtualization: Problem
o Problem – a large portion of enterprise infrastructure is virtualized now, so it would limit the malware effectiveness if they avoid running on any virtual machine.
o Need to detect sandboxes, not the VMo Detect the presence/absense of the user.
Detecting User
o CAPTCHA is a possible way
o Ask user to click the mouse
o Wait for a certain action of the user to execute (go to Facebook, login to the bank)
o Perform malicious activity upon reboot
Sleep
o A popular strategy is to sleep or execute malicious code on certain dates
o Most Analysis systems are built with timeouts and have limits on how long they can wait, because they need to analyze many files.
o Because sleeps can be detected and stripped, execute various non-malicious code in lieu of sleep.
Detecting hooks
Ping Google
o Some sandboxes do not allow the malware to connect outside to the internet, so a simple way to detect a sandbox is just to verify internet connectivity
Malware Example: Time Acceleration Detection
o Injector.akdd Trojan MD5: 3bbb59afdf9bda4ffdc644d9d51c53e7
Implements 3 checks for hooking:o GetTickCounto GetSystemTimeAsFileTimeo NtQuerySystemTime
o If LESS than 998ms pass during execution:
- Abort!
Checking GetUserName
o Malware name: Ponmocup Trojano MD5: 27aa08d113034eae5565fe2e8813a01eo Uses GetUserName to check for these strings
o currentusero sandboxo honeyo vmwareo nepentheso snorto andyo roo
Sazoora malware: Detecting the mouse
o If the sample can't detect mouse movement execution will be slowed down
Sazoora malware: Timing attacks
o Sazoora only runs on 16, 17 or 18 of any month
Read more about Sazoora on our blog:https://www.cyphort.com/blog/sazoora-dissecting-bundle-evasion-stealth/
SmartFortress FakeAV malware: Hard Disk Identifiers
o FakeAV SmartFortress Trojano MD5: a2d4e451f84b74185ecba8e728b65fe3
o Hard disk identifiers often give away the virtualization platform
o Checked with o SetupDiGetClassDivso SetupDiGetEnumDeviceInfoo SetupDiGetDeviceRegistryProperty
SmartFortress FakeAV malware : Exotic Instruction Sets
• MMX is an Intel instruction set designedfor faster processing of graphical applications
• Occationally used by malware as randominstructions
• Usually not supported by malware emulators
Recap: Types of Anti-sandboxing tricks
o Detecting virtualization : Not running in the VMo Sleepingo Delay loopso Detecting hooks (user level | kernel level )o GUI – prompting the user for actiono Running only on certain dateso Detects Sandbox by time accelerationo Killing analysis toolso Checking Browser History, Running Apps, AD Domain memberhip
Poll question
Which of the anti-sandboxing techniques below do you think is the most popular among malware writers?
A - Detecting Virtual MachinesB - Delay loop executionC - A and B equallyD - SleepingE - Anti-hooking
Popularity of different anti-sandbox techniques
Source: Cyphort Labs
Non traditional File Formats
o Another way to circumvent Sandbox detection:Attack non-traditional platform: do not use a PE32 executable..o PDF, Excel, Wordo 64 bit Windows EXE malwareo Mac OSX malware
Wrap up
o Harden the Sandbox against known evasion techniques
o Use Multiple types of Sandboxeso Use multiple techniques for malware
analysiso Evaluate sandboxing tools against
known evasion techniques
Q and A
Previous MMW slides on
www.slideshare.net/Cyphort/
Thank You!Twitter: @belogor
Recommended