Downloaded 48 times
More Related Content
Similar to Mmw anti sandbox_techniques
Mmw anti sandbox_techniques
- 2.
- 3. Your speakers today NickBilogorskiy @belogor Director of Security Research Shelendra Sharma Product Marketing Director
- 4. Agenda o Introduction toSandboxing o How Malware breaks sandboxes o Wrap-up and Q&A CyphortLabsT-shirt
- 5. Threat Monitoring & Researchteam ________ 24X7 monitoring for malware events ________ Assist customers with their Forensics and Incident Response We enhance malware detection accuracy ________ False positives/negatives ________ Deep-dive research We work with the security ecosystem ________ Contribute to and learn from malware KB ________ Best of 3rd Party threat data
- 6. What is asandbox o Sandbox is a instrumented detonation environment, where malware can be run and observed, but will not cause harm to the actual system. o Sandboxes are used for dynamic malware analysis and behavior based detection o Sandboxing is a NECESSARY but NOT SUFFICIENT condition for effective behavior detection
- 7.
- 8. What is asandbox
- 9. Methods of Analysisin Sandboxes o User hooks - a software component is installed within the guest OS and reports all user-based activity to the trace handler (keylogger). o Kernel hooks – The kernel of the guest OS is modified to accommodate tracing requirements (rootkit). o System emulation – A hardware emulator is modified to hook appropriate memory, disk IO functions and peripherals (etc.) and report activities
- 10. Use of Sandboxes 1.Simplify malware research : show traces 2. Automated behavior based malware detection : add analytics
- 11.
- 12. Anti-Sandboxing o 1 DetectingVirtualization o 2 Detecting presence of a live user (Turing test) o 3 Detecting hooking or exploiting sandbox limitations o Just like packers became effective to fight signature based AV, evasion and armoring are bypassing rudimentary sandboxes
- 13. How much malwarecan detect Virtual Machines Source: Antiy Labs
- 14. How much malwarecan detect Virtual Machines Source: Qualys Labs
- 15. o VMWare canbe detected via Registry: o Virtualbox can be detected via Registry: HKLMHARDWAREDescriptionSystem "SystemBiosVersion" HKLMSOFTWAREOracleVirtualBox Guest Additions Detect Virtualization via Registry check
- 16. PAFISH - (ParanoidFish) - github.com/a0rtega/pafish
- 17. Poll question How manyof the 5 sandboxes I mentioned earlier (Cuckoo, GFI, JoeSandbox, Comodo, ThreatExpert) can be detected by PAFISH (Paranoid Fish)? None 1 2 3 4 All of them
- 18.
- 19. Detecting Virtualization o Checkif disk size is less than 50GB Pafish code
- 20. Detecting Virtualization o Checkif the disk is called “VBOX ” Pafish code
- 21.
- 22. Detecting VMWare o IOVirtualization, IN instruction
- 23.
- 24. Redpill IDTR (InterruptDescriptor Table Register)
- 25. Detect Environment: MACAddress o 00:05:69:xx:xx:xx VMware o 00:0C:29:xx:xx:xx VMware o 00:1C:14:xx:xx:xx VMware o 00:50:56:xx:xx:xx VMware o 00:15:5D:xx:xx:xx Hyper V o 00:16:3e:xx:xx:xx Xen Source: Paul Jung, Bypassing Sanboxes for fun
- 26. Buy it –use a ready made anti-vm tool
- 27. Detecting Virtualization: Problem oProblem – a large portion of enterprise infrastructure is virtualized now, so it would limit the malware effectiveness if they avoid running on any virtual machine. o Need to detect sandboxes, not the VM o Detect the presence/absense of the user.
- 28. Detecting User o CAPTCHAis a possible way o Ask user to click the mouse o Wait for a certain action of the user to execute (go to Facebook, login to the bank) o Perform malicious activity upon reboot
- 29. Sleep o A popularstrategy is to sleep or execute malicious code on certain dates o Most Analysis systems are built with timeouts and have limits on how long they can wait, because they need to analyze many files. o Because sleeps can be detected and stripped, execute various non-malicious code in lieu of sleep.
- 30.
- 31. Ping Google o Somesandboxes do not allow the malware to connect outside to the internet, so a simple way to detect a sandbox is just to verify internet connectivity
- 32. Malware Example: TimeAcceleration Detection o Injector.akdd Trojan MD5: 3bbb59afdf9bda4ffdc644d9d51c53e7 Implements 3 checks for hooking: o GetTickCount o GetSystemTimeAsFileTime o NtQuerySystemTime o If LESS than 998ms pass during execution: - Abort!
- 33. Checking GetUserName o Malwarename: Ponmocup Trojan o MD5: 27aa08d113034eae5565fe2e8813a01e o Uses GetUserName to check for these strings o currentuser o sandbox o honey o vmware o nepenthes o snort o andy o roo
- 34. Sazoora malware: Detectingthe mouse o If the sample can't detect mouse movement execution will be slowed down
- 35. Sazoora malware: Timingattacks o Sazoora only runs on 16, 17 or 18 of any month Read more about Sazoora on our blog: https://www.cyphort.com/blog/ sazoora-dissecting-bundle- evasion-stealth/
- 36. SmartFortress FakeAV malware:Hard Disk Identifiers o FakeAV SmartFortress Trojan o MD5: a2d4e451f84b74185ecba8e728b65fe3 o Hard disk identifiers often give away the virtualization platform o Checked with o SetupDiGetClassDivs o SetupDiGetEnumDeviceInfo o SetupDiGetDeviceRegistryProperty
- 37. SmartFortress FakeAV malware: Exotic Instruction Sets • MMX is an Intel instruction set designed for faster processing of graphical applications • Occationally used by malware as random instructions • Usually not supported by malware emulators
- 38. Recap: Types ofAnti-sandboxing tricks o Detecting virtualization : Not running in the VM o Sleeping o Delay loops o Detecting hooks (user level | kernel level ) o GUI – prompting the user for action o Running only on certain dates o Detects Sandbox by time acceleration o Killing analysis tools o Checking Browser History, Running Apps, AD Domain memberhip
- 39. Poll question Which ofthe anti-sandboxing techniques below do you think is the most popular among malware writers? A - Detecting Virtual Machines B - Delay loop execution C - A and B equally D - Sleeping E - Anti-hooking
- 40. Popularity of differentanti-sandbox techniques Source: Cyphort Labs
- 41. Non traditional FileFormats o Another way to circumvent Sandbox detection: Attack non-traditional platform: do not use a PE32 executable.. o PDF, Excel, Word o 64 bit Windows EXE malware o Mac OSX malware
- 42. Wrap up o Hardenthe Sandbox against known evasion techniques o Use Multiple types of Sandboxes o Use multiple techniques for malware analysis o Evaluate sandboxing tools against known evasion techniques
- 43. Q and A Previous MMWslides on www.slideshare.net/ Cyphort/
- 44.
Editor's Notes
- #10 User-mode agent – a software component is installed within the guest operating system and reports all user-based activity to the trace handler (think of this kind of like a keylogger). more specific application level behavior, can be detected and subverted, but can figure out exactly what they are doing. Kernel-mode Patching – The kernel of the guest operating system is modified to accommodate tracing requirements (think of this kind of like a rootkit). very difficult to subvert, but the data is more generic, basic kernel operations like file,process, registry info, OS level info. System emulation – A hardware emulator is modified to hook appropriate memory, disk IO functions and peripherals (etc.) and report activities (think of this as a hall of mirrors approach). Emulation approaches are great for more difficult operating systems (e.g. Android, SCADA systems, etc.) a kind of VM that emulates all hardware components in software including the memory, can put probes to analyze malware, allows memory taint analysis. Hard to map low level behaviors to something malicious. Cyphort can switch easily. Initially malware was not detecting QEMU as VirtualBox and VmWare but that has changed over time.