Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

MMW Anti-Sandbox Techniques


Published on

Malware writers are well aware of sandboxing, a popular way to detect brand new unknown malware by its behavior, and make code that infects the intended victim but has no malicious behavior in a sandbox. This MMW webinar demos specific ways how malware detects and hides from sandboxes including environmental check, stalling code, sleeps, hook detection and click triggers.

Published in: Technology
  • Be the first to comment

MMW Anti-Sandbox Techniques

  1. 1. Anti-Sandbox Malware tricks
  2. 2. Your speakers today Nick Bilogorskiy @belogor Director of Security Research Shelendra Sharma Product Marketing Director
  3. 3. Agenda o Introduction to Sandboxing o How Malware breaks sandboxes o Wrap-up and Q&A CyphortLabsT-shirt
  4. 4. Threat Monitoring & Research team ________ 24X7 monitoring for malware events ________ Assist customers with their Forensics and Incident Response We enhance malware detection accuracy ________ False positives/negatives ________ Deep-dive research We work with the security ecosystem ________ Contribute to and learn from malware KB ________ Best of 3rd Party threat data
  5. 5. What is a sandbox o Sandbox is a instrumented detonation environment, where malware can be run and observed, but will not cause harm to the actual system. o Sandboxes are used for dynamic malware analysis and behavior based detection o Sandboxing is a NECESSARY but NOT SUFFICIENT condition for effective behavior detection
  6. 6. Norman Sandbox Anubis JoeBox Sandbox History 2003 2006 2007 ThreatExpert2008 Cuckoo2010
  7. 7. What is a sandbox
  8. 8. Methods of Analysis in Sandboxes o User hooks - a software component is installed within the guest OS and reports all user-based activity to the trace handler (keylogger). o Kernel hooks – The kernel of the guest OS is modified to accommodate tracing requirements (rootkit). o System emulation – A hardware emulator is modified to hook appropriate memory, disk IO functions and peripherals (etc.) and report activities
  9. 9. Use of Sandboxes 1. Simplify malware research : show traces 2. Automated behavior based malware detection : add analytics
  10. 10. Breaking Sandboxes
  11. 11. Anti-Sandboxing o 1 Detecting Virtualization o 2 Detecting presence of a live user (Turing test) o 3 Detecting hooking or exploiting sandbox limitations o Just like packers became effective to fight signature based AV, evasion and armoring are bypassing rudimentary sandboxes
  12. 12. How much malware can detect Virtual Machines Source: Antiy Labs
  13. 13. How much malware can detect Virtual Machines Source: Qualys Labs
  14. 14. o VMWare can be detected via Registry: o Virtualbox can be detected via Registry: HKLMHARDWAREDescriptionSystem "SystemBiosVersion" HKLMSOFTWAREOracleVirtualBox Guest Additions Detect Virtualization via Registry check
  15. 15. PAFISH - (Paranoid Fish) -
  16. 16. Poll question How many of the 5 sandboxes I mentioned earlier (Cuckoo, GFI, JoeSandbox, Comodo, ThreatExpert) can be detected by PAFISH (Paranoid Fish)? None 1 2 3 4 All of them
  17. 17. PAFISH detects all
  18. 18. Detecting Virtualization o Check if disk size is less than 50GB Pafish code
  19. 19. Detecting Virtualization o Check if the disk is called “VBOX ” Pafish code
  20. 20.
  21. 21. Detecting VMWare o IO Virtualization, IN instruction
  22. 22. Detecting Virtualization by Timing
  23. 23. Redpill IDTR (Interrupt Descriptor Table Register)
  24. 24. Detect Environment: MAC Address o 00:05:69:xx:xx:xx VMware o 00:0C:29:xx:xx:xx VMware o 00:1C:14:xx:xx:xx VMware o 00:50:56:xx:xx:xx VMware o 00:15:5D:xx:xx:xx Hyper V o 00:16:3e:xx:xx:xx Xen Source: Paul Jung, Bypassing Sanboxes for fun
  25. 25. Buy it – use a ready made anti-vm tool
  26. 26. Detecting Virtualization: Problem o Problem – a large portion of enterprise infrastructure is virtualized now, so it would limit the malware effectiveness if they avoid running on any virtual machine. o Need to detect sandboxes, not the VM o Detect the presence/absense of the user.
  27. 27. Detecting User o CAPTCHA is a possible way o Ask user to click the mouse o Wait for a certain action of the user to execute (go to Facebook, login to the bank) o Perform malicious activity upon reboot
  28. 28. Sleep o A popular strategy is to sleep or execute malicious code on certain dates o Most Analysis systems are built with timeouts and have limits on how long they can wait, because they need to analyze many files. o Because sleeps can be detected and stripped, execute various non-malicious code in lieu of sleep.
  29. 29. Detecting hooks
  30. 30. Ping Google o Some sandboxes do not allow the malware to connect outside to the internet, so a simple way to detect a sandbox is just to verify internet connectivity
  31. 31. Malware Example: Time Acceleration Detection o Injector.akdd Trojan MD5: 3bbb59afdf9bda4ffdc644d9d51c53e7 Implements 3 checks for hooking: o GetTickCount o GetSystemTimeAsFileTime o NtQuerySystemTime o If LESS than 998ms pass during execution: - Abort!
  32. 32. Checking GetUserName o Malware name: Ponmocup Trojan o MD5: 27aa08d113034eae5565fe2e8813a01e o Uses GetUserName to check for these strings o currentuser o sandbox o honey o vmware o nepenthes o snort o andy o roo
  33. 33. Sazoora malware: Detecting the mouse o If the sample can't detect mouse movement execution will be slowed down
  34. 34. Sazoora malware: Timing attacks o Sazoora only runs on 16, 17 or 18 of any month Read more about Sazoora on our blog: sazoora-dissecting-bundle- evasion-stealth/
  35. 35. SmartFortress FakeAV malware: Hard Disk Identifiers o FakeAV SmartFortress Trojan o MD5: a2d4e451f84b74185ecba8e728b65fe3 o Hard disk identifiers often give away the virtualization platform o Checked with o SetupDiGetClassDivs o SetupDiGetEnumDeviceInfo o SetupDiGetDeviceRegistryProperty
  36. 36. SmartFortress FakeAV malware : Exotic Instruction Sets • MMX is an Intel instruction set designed for faster processing of graphical applications • Occationally used by malware as random instructions • Usually not supported by malware emulators
  37. 37. Recap: Types of Anti-sandboxing tricks o Detecting virtualization : Not running in the VM o Sleeping o Delay loops o Detecting hooks (user level | kernel level ) o GUI – prompting the user for action o Running only on certain dates o Detects Sandbox by time acceleration o Killing analysis tools o Checking Browser History, Running Apps, AD Domain memberhip
  38. 38. Poll question Which of the anti-sandboxing techniques below do you think is the most popular among malware writers? A - Detecting Virtual Machines B - Delay loop execution C - A and B equally D - Sleeping E - Anti-hooking
  39. 39. Popularity of different anti-sandbox techniques Source: Cyphort Labs
  40. 40. Non traditional File Formats o Another way to circumvent Sandbox detection: Attack non-traditional platform: do not use a PE32 executable.. o PDF, Excel, Word o 64 bit Windows EXE malware o Mac OSX malware
  41. 41. Wrap up o Harden the Sandbox against known evasion techniques o Use Multiple types of Sandboxes o Use multiple techniques for malware analysis o Evaluate sandboxing tools against known evasion techniques
  42. 42. Q and A Previous MMW slides on Cyphort/
  43. 43. Thank You! Twitter: @belogor