MMW Anti-Sandbox Techniques
Jul. 31, 2015•0 likes•3,016 views
Download to read offline
Report
Technology
Malware writers are well aware of sandboxing, a popular way to detect brand new unknown malware by its behavior, and make code that infects the intended victim but has no malicious behavior in a sandbox. This MMW webinar demos specific ways how malware detects and hides from sandboxes including environmental check, stalling code, sleeps, hook detection and click triggers.
CyphortFollow
More Related Content
Viewers also liked
Malware Detection With Multiple FeaturesMuhammad Najmi Ahmad Zabidi
MMW April 2016 Ransomware Resurgence Cyphort
Ensembled Based Categorization and Adaptive Learning Model for Malware DetectionMuhammad Najmi Ahmad Zabidi
Failed Ransom: How IBM XGS Defeated RansomwareIBM Security
The Black Report - HackersDendreon
Corporations - the new victims of targeted ransomwareCyber Security Alliance
Similar to MMW Anti-Sandbox Techniques
Malware's Most Wanted: How to tell BADware from adwareCyphort
Sandbox detection:
leak, abuse, test - Hacktivity 2015Zoltan Balazs
Malware Most Wanted: Evil BunnyCyphort
Malware's most wanted-zberp-the_financial_trojanCyphort
Malware 101 by saurabh chaudharySaurav Chaudhary
Mmw mac malware-macCyphort
More from Cyphort
EverSec + Cyphort: Big Trends in CybersecurityCyphort
Most notable apt_ attacks_of_2015_and_2016 predictionsCyphort
Malware self protection-matrixCyphort
Machine learning cyphort_malware_most_wantedCyphort
Dissecting CryptowallCyphort
Cyber espionage nation state-apt_attacks_on_the_riseCyphort
Recently uploaded
Accelerating Data Science through Feature Platform, Transformers and GenAIFeatureByte
Take Control of Podcasting thanks to Open Source and Podcasting 2.0🎙 Benjamin Bellamy
Product Listing Presentation-Maidy Veloso.pptxMaidyVeloso
"Data Mesh in Kubernetes", Andrii SyniukFwdays
Manage and Release Changes Easily and Collaboratively with DevOps Center - Sa...Amol Dixit
GIT AND GITHUB (1).pptxGDSCCVRGUPoweredbyGo
MMW Anti-Sandbox Techniques
- 3. Your speakers today Nick Bilogorskiy @belogor Director of Security Research Shelendra Sharma Product Marketing Director
- 4. Agenda o Introduction to Sandboxing o How Malware breaks sandboxes o Wrap-up and Q&A CyphortLabsT-shirt
- 5. Threat Monitoring & Research team ________ 24X7 monitoring for malware events ________ Assist customers with their Forensics and Incident Response We enhance malware detection accuracy ________ False positives/negatives ________ Deep-dive research We work with the security ecosystem ________ Contribute to and learn from malware KB ________ Best of 3rd Party threat data
- 6. What is a sandbox o Sandbox is a instrumented detonation environment, where malware can be run and observed, but will not cause harm to the actual system. o Sandboxes are used for dynamic malware analysis and behavior based detection o Sandboxing is a NECESSARY but NOT SUFFICIENT condition for effective behavior detection
- 8. What is a sandbox
- 9. Methods of Analysis in Sandboxes o User hooks - a software component is installed within the guest OS and reports all user-based activity to the trace handler (keylogger). o Kernel hooks – The kernel of the guest OS is modified to accommodate tracing requirements (rootkit). o System emulation – A hardware emulator is modified to hook appropriate memory, disk IO functions and peripherals (etc.) and report activities
- 10. Use of Sandboxes 1. Simplify malware research : show traces 2. Automated behavior based malware detection : add analytics
- 12. Anti-Sandboxing o 1 Detecting Virtualization o 2 Detecting presence of a live user (Turing test) o 3 Detecting hooking or exploiting sandbox limitations o Just like packers became effective to fight signature based AV, evasion and armoring are bypassing rudimentary sandboxes
- 13. How much malware can detect Virtual Machines Source: Antiy Labs
- 14. How much malware can detect Virtual Machines Source: Qualys Labs
- 15. o VMWare can be detected via Registry: o Virtualbox can be detected via Registry: HKLMHARDWAREDescriptionSystem "SystemBiosVersion" HKLMSOFTWAREOracleVirtualBox Guest Additions Detect Virtualization via Registry check
- 16. PAFISH - (Paranoid Fish) - github.com/a0rtega/pafish
- 17. Poll question How many of the 5 sandboxes I mentioned earlier (Cuckoo, GFI, JoeSandbox, Comodo, ThreatExpert) can be detected by PAFISH (Paranoid Fish)? None 1 2 3 4 All of them
- 19. Detecting Virtualization o Check if disk size is less than 50GB Pafish code
- 20. Detecting Virtualization o Check if the disk is called “VBOX ” Pafish code
- 22. Detecting VMWare o IO Virtualization, IN instruction
- 23. Detecting Virtualization by Timing
- 24. Redpill IDTR (Interrupt Descriptor Table Register)
- 25. Detect Environment: MAC Address o 00:05:69:xx:xx:xx VMware o 00:0C:29:xx:xx:xx VMware o 00:1C:14:xx:xx:xx VMware o 00:50:56:xx:xx:xx VMware o 00:15:5D:xx:xx:xx Hyper V o 00:16:3e:xx:xx:xx Xen Source: Paul Jung, Bypassing Sanboxes for fun
- 26. Buy it – use a ready made anti-vm tool
- 27. Detecting Virtualization: Problem o Problem – a large portion of enterprise infrastructure is virtualized now, so it would limit the malware effectiveness if they avoid running on any virtual machine. o Need to detect sandboxes, not the VM o Detect the presence/absense of the user.
- 28. Detecting User o CAPTCHA is a possible way o Ask user to click the mouse o Wait for a certain action of the user to execute (go to Facebook, login to the bank) o Perform malicious activity upon reboot
- 29. Sleep o A popular strategy is to sleep or execute malicious code on certain dates o Most Analysis systems are built with timeouts and have limits on how long they can wait, because they need to analyze many files. o Because sleeps can be detected and stripped, execute various non-malicious code in lieu of sleep.
- 30. Detecting hooks
- 31. Ping Google o Some sandboxes do not allow the malware to connect outside to the internet, so a simple way to detect a sandbox is just to verify internet connectivity
- 32. Malware Example: Time Acceleration Detection o Injector.akdd Trojan MD5: 3bbb59afdf9bda4ffdc644d9d51c53e7 Implements 3 checks for hooking: o GetTickCount o GetSystemTimeAsFileTime o NtQuerySystemTime o If LESS than 998ms pass during execution: - Abort!
- 33. Checking GetUserName o Malware name: Ponmocup Trojan o MD5: 27aa08d113034eae5565fe2e8813a01e o Uses GetUserName to check for these strings o currentuser o sandbox o honey o vmware o nepenthes o snort o andy o roo
- 34. Sazoora malware: Detecting the mouse o If the sample can't detect mouse movement execution will be slowed down
- 35. Sazoora malware: Timing attacks o Sazoora only runs on 16, 17 or 18 of any month Read more about Sazoora on our blog: https://www.cyphort.com/blog/ sazoora-dissecting-bundle- evasion-stealth/
- 36. SmartFortress FakeAV malware: Hard Disk Identifiers o FakeAV SmartFortress Trojan o MD5: a2d4e451f84b74185ecba8e728b65fe3 o Hard disk identifiers often give away the virtualization platform o Checked with o SetupDiGetClassDivs o SetupDiGetEnumDeviceInfo o SetupDiGetDeviceRegistryProperty
- 37. SmartFortress FakeAV malware : Exotic Instruction Sets • MMX is an Intel instruction set designed for faster processing of graphical applications • Occationally used by malware as random instructions • Usually not supported by malware emulators
- 38. Recap: Types of Anti-sandboxing tricks o Detecting virtualization : Not running in the VM o Sleeping o Delay loops o Detecting hooks (user level | kernel level ) o GUI – prompting the user for action o Running only on certain dates o Detects Sandbox by time acceleration o Killing analysis tools o Checking Browser History, Running Apps, AD Domain memberhip
- 39. Poll question Which of the anti-sandboxing techniques below do you think is the most popular among malware writers? A - Detecting Virtual Machines B - Delay loop execution C - A and B equally D - Sleeping E - Anti-hooking
- 40. Popularity of different anti-sandbox techniques Source: Cyphort Labs
- 41. Non traditional File Formats o Another way to circumvent Sandbox detection: Attack non-traditional platform: do not use a PE32 executable.. o PDF, Excel, Word o 64 bit Windows EXE malware o Mac OSX malware
- 42. Wrap up o Harden the Sandbox against known evasion techniques o Use Multiple types of Sandboxes o Use multiple techniques for malware analysis o Evaluate sandboxing tools against known evasion techniques
- 43. Q and A Previous MMW slides on www.slideshare.net/ Cyphort/
Editor's Notes
- User-mode agent – a software component is installed within the guest operating system and reports all user-based activity to the trace handler (think of this kind of like a keylogger). more specific application level behavior, can be detected and subverted, but can figure out exactly what they are doing. Kernel-mode Patching – The kernel of the guest operating system is modified to accommodate tracing requirements (think of this kind of like a rootkit). very difficult to subvert, but the data is more generic, basic kernel operations like file,process, registry info, OS level info. System emulation – A hardware emulator is modified to hook appropriate memory, disk IO functions and peripherals (etc.) and report activities (think of this as a hall of mirrors approach). Emulation approaches are great for more difficult operating systems (e.g. Android, SCADA systems, etc.) a kind of VM that emulates all hardware components in software including the memory, can put probes to analyze malware, allows memory taint analysis. Hard to map low level behaviors to something malicious. Cyphort can switch easily. Initially malware was not detecting QEMU as VirtualBox and VmWare but that has changed over time.