SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 30 day free trial to unlock unlimited reading.
Malware writers are well aware of sandboxing, a popular way to detect brand new unknown malware by its behavior, and make code that infects the intended victim but has no malicious behavior in a sandbox. This MMW webinar demos specific ways how malware detects and hides from sandboxes including environmental check, stalling code, sleeps, hook detection and click triggers.
1.
Anti-Sandbox
Malware tricks
2.
Your speakers today
Nick Bilogorskiy
@belogor
Director of Security Research
Shelendra Sharma
Product Marketing Director
3.
Agenda
o Introduction to Sandboxing
o How Malware breaks sandboxes
o Wrap-up and Q&A
CyphortLabsT-shirt
4.
Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data
5.
What is a sandbox
o Sandbox is a instrumented detonation
environment, where malware can be run
and observed, but will not cause harm to
the actual system.
o Sandboxes are used for dynamic
malware analysis and behavior based
detection
o Sandboxing is a NECESSARY but NOT
SUFFICIENT condition for effective
behavior detection
6.
Norman Sandbox
Anubis
JoeBox
Sandbox History
2003
2006
2007
ThreatExpert2008
Cuckoo2010
8.
Methods of Analysis in Sandboxes
o User hooks - a software component is installed within the
guest OS and reports all user-based activity to the trace
handler (keylogger).
o Kernel hooks – The kernel of the guest OS is modified to
accommodate tracing requirements (rootkit).
o System emulation – A hardware emulator is modified to
hook appropriate memory, disk IO functions and
peripherals (etc.) and report activities
9.
Use of Sandboxes
1. Simplify malware research : show traces
2. Automated behavior based malware
detection : add analytics
11.
Anti-Sandboxing
o 1 Detecting Virtualization
o 2 Detecting presence of a live user (Turing test)
o 3 Detecting hooking or exploiting sandbox limitations
o Just like packers became effective to fight signature based AV,
evasion and armoring are bypassing rudimentary sandboxes
12.
How much malware can detect Virtual Machines
Source: Antiy Labs
13.
How much malware can detect Virtual Machines
Source: Qualys Labs
14.
o VMWare can be detected via Registry:
o Virtualbox can be detected via Registry:
HKLMHARDWAREDescriptionSystem "SystemBiosVersion"
HKLMSOFTWAREOracleVirtualBox Guest Additions
Detect Virtualization via Registry check
16.
Poll question
How many of the 5 sandboxes I mentioned earlier
(Cuckoo, GFI, JoeSandbox, Comodo, ThreatExpert) can be detected
by PAFISH (Paranoid Fish)?
None
1
2
3
4
All of them
24.
Detect Environment: MAC Address
o 00:05:69:xx:xx:xx VMware
o 00:0C:29:xx:xx:xx VMware
o 00:1C:14:xx:xx:xx VMware
o 00:50:56:xx:xx:xx VMware
o 00:15:5D:xx:xx:xx Hyper V
o 00:16:3e:xx:xx:xx Xen
Source: Paul Jung, Bypassing Sanboxes for fun
26.
Detecting Virtualization: Problem
o Problem – a large portion of enterprise infrastructure is
virtualized now, so it would limit the malware effectiveness
if they avoid running on any virtual machine.
o Need to detect sandboxes, not the VM
o Detect the presence/absense of the user.
27.
Detecting User
o CAPTCHA is a possible way
o Ask user to click the mouse
o Wait for a certain action of
the user to execute (go to
Facebook, login to the bank)
o Perform malicious activity
upon reboot
28.
Sleep
o A popular strategy is to sleep or execute malicious code on
certain dates
o Most Analysis systems are built with timeouts and have
limits on how long they can wait, because they need to
analyze many files.
o Because sleeps can be detected and stripped, execute
various non-malicious code in lieu of sleep.
30.
Ping Google
o Some sandboxes do not allow the malware to connect
outside to the internet, so a simple way to detect a sandbox
is just to verify internet connectivity
31.
Malware Example: Time Acceleration Detection
o Injector.akdd Trojan
MD5: 3bbb59afdf9bda4ffdc644d9d51c53e7
Implements 3 checks for hooking:
o GetTickCount
o GetSystemTimeAsFileTime
o NtQuerySystemTime
o If LESS than 998ms pass during
execution:
- Abort!
32.
Checking GetUserName
o Malware name: Ponmocup Trojan
o MD5: 27aa08d113034eae5565fe2e8813a01e
o Uses GetUserName to check for these strings
o currentuser
o sandbox
o honey
o vmware
o nepenthes
o snort
o andy
o roo
33.
Sazoora malware: Detecting the mouse
o If the sample can't detect mouse movement execution will
be slowed down
34.
Sazoora malware: Timing attacks
o Sazoora only
runs on 16, 17 or 18 of any month
Read more about Sazoora on our blog:
https://www.cyphort.com/blog/
sazoora-dissecting-bundle-
evasion-stealth/
35.
SmartFortress FakeAV malware: Hard Disk Identifiers
o FakeAV SmartFortress Trojan
o MD5: a2d4e451f84b74185ecba8e728b65fe3
o Hard disk identifiers often give
away the virtualization platform
o Checked with
o SetupDiGetClassDivs
o SetupDiGetEnumDeviceInfo
o SetupDiGetDeviceRegistryProperty
36.
SmartFortress FakeAV malware : Exotic Instruction Sets
• MMX is an Intel instruction set designed
for faster processing of graphical
applications
• Occationally used by malware as random
instructions
• Usually not supported by malware
emulators
37.
Recap: Types of Anti-sandboxing tricks
o Detecting virtualization : Not running in the VM
o Sleeping
o Delay loops
o Detecting hooks (user level | kernel level )
o GUI – prompting the user for action
o Running only on certain dates
o Detects Sandbox by time acceleration
o Killing analysis tools
o Checking Browser History, Running Apps, AD Domain memberhip
38.
Poll question
Which of the anti-sandboxing techniques below do you think is the most
popular among malware writers?
A - Detecting Virtual Machines
B - Delay loop execution
C - A and B equally
D - Sleeping
E - Anti-hooking
39.
Popularity of different anti-sandbox techniques
Source: Cyphort Labs
40.
Non traditional File Formats
o Another way to circumvent Sandbox detection:
Attack non-traditional platform: do not use a
PE32 executable..
o PDF, Excel, Word
o 64 bit Windows EXE malware
o Mac OSX malware
41.
Wrap up
o Harden the Sandbox against known
evasion techniques
o Use Multiple types of Sandboxes
o Use multiple techniques for malware
analysis
o Evaluate sandboxing tools against
known evasion techniques
42.
Q and A
Previous
MMW slides on
www.slideshare.net/
Cyphort/
User-mode agent – a software component is installed within the guest operating system and reports all user-based activity to the trace handler (think of this kind of like a keylogger). more specific application level behavior, can be detected and subverted, but can figure out exactly what they are doing.
Kernel-mode Patching – The kernel of the guest operating system is modified to accommodate tracing requirements (think of this kind of like a rootkit). very difficult to subvert, but the data is more generic, basic kernel operations like file,process, registry info, OS level info.
System emulation – A hardware emulator is modified to hook appropriate memory, disk IO functions and peripherals (etc.) and report activities (think of this as a hall of mirrors approach). Emulation approaches are great for more difficult operating systems (e.g. Android, SCADA systems, etc.)a kind of VM that emulates all hardware components in software including the memory, can put probes to analyze malware, allows memory taint analysis. Hard to map low level behaviors to something malicious. Cyphort can switch easily. Initially malware was not detecting QEMU as VirtualBox and VmWare but that has changed over time.
Malware writers are well aware of sandboxing, a popular way to detect brand new unknown malware by its behavior, and make code that infects the intended victim but has no malicious behavior in a sandbox. This MMW webinar demos specific ways how malware detects and hides from sandboxes including environmental check, stalling code, sleeps, hook detection and click triggers.
1.
Anti-Sandbox
Malware tricks
2.
Your speakers today
Nick Bilogorskiy
@belogor
Director of Security Research
Shelendra Sharma
Product Marketing Director
3.
Agenda
o Introduction to Sandboxing
o How Malware breaks sandboxes
o Wrap-up and Q&A
CyphortLabsT-shirt
4.
Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data
5.
What is a sandbox
o Sandbox is a instrumented detonation
environment, where malware can be run
and observed, but will not cause harm to
the actual system.
o Sandboxes are used for dynamic
malware analysis and behavior based
detection
o Sandboxing is a NECESSARY but NOT
SUFFICIENT condition for effective
behavior detection
6.
Norman Sandbox
Anubis
JoeBox
Sandbox History
2003
2006
2007
ThreatExpert2008
Cuckoo2010
8.
Methods of Analysis in Sandboxes
o User hooks - a software component is installed within the
guest OS and reports all user-based activity to the trace
handler (keylogger).
o Kernel hooks – The kernel of the guest OS is modified to
accommodate tracing requirements (rootkit).
o System emulation – A hardware emulator is modified to
hook appropriate memory, disk IO functions and
peripherals (etc.) and report activities
9.
Use of Sandboxes
1. Simplify malware research : show traces
2. Automated behavior based malware
detection : add analytics
11.
Anti-Sandboxing
o 1 Detecting Virtualization
o 2 Detecting presence of a live user (Turing test)
o 3 Detecting hooking or exploiting sandbox limitations
o Just like packers became effective to fight signature based AV,
evasion and armoring are bypassing rudimentary sandboxes
12.
How much malware can detect Virtual Machines
Source: Antiy Labs
13.
How much malware can detect Virtual Machines
Source: Qualys Labs
14.
o VMWare can be detected via Registry:
o Virtualbox can be detected via Registry:
HKLMHARDWAREDescriptionSystem "SystemBiosVersion"
HKLMSOFTWAREOracleVirtualBox Guest Additions
Detect Virtualization via Registry check
16.
Poll question
How many of the 5 sandboxes I mentioned earlier
(Cuckoo, GFI, JoeSandbox, Comodo, ThreatExpert) can be detected
by PAFISH (Paranoid Fish)?
None
1
2
3
4
All of them
24.
Detect Environment: MAC Address
o 00:05:69:xx:xx:xx VMware
o 00:0C:29:xx:xx:xx VMware
o 00:1C:14:xx:xx:xx VMware
o 00:50:56:xx:xx:xx VMware
o 00:15:5D:xx:xx:xx Hyper V
o 00:16:3e:xx:xx:xx Xen
Source: Paul Jung, Bypassing Sanboxes for fun
26.
Detecting Virtualization: Problem
o Problem – a large portion of enterprise infrastructure is
virtualized now, so it would limit the malware effectiveness
if they avoid running on any virtual machine.
o Need to detect sandboxes, not the VM
o Detect the presence/absense of the user.
27.
Detecting User
o CAPTCHA is a possible way
o Ask user to click the mouse
o Wait for a certain action of
the user to execute (go to
Facebook, login to the bank)
o Perform malicious activity
upon reboot
28.
Sleep
o A popular strategy is to sleep or execute malicious code on
certain dates
o Most Analysis systems are built with timeouts and have
limits on how long they can wait, because they need to
analyze many files.
o Because sleeps can be detected and stripped, execute
various non-malicious code in lieu of sleep.
30.
Ping Google
o Some sandboxes do not allow the malware to connect
outside to the internet, so a simple way to detect a sandbox
is just to verify internet connectivity
31.
Malware Example: Time Acceleration Detection
o Injector.akdd Trojan
MD5: 3bbb59afdf9bda4ffdc644d9d51c53e7
Implements 3 checks for hooking:
o GetTickCount
o GetSystemTimeAsFileTime
o NtQuerySystemTime
o If LESS than 998ms pass during
execution:
- Abort!
32.
Checking GetUserName
o Malware name: Ponmocup Trojan
o MD5: 27aa08d113034eae5565fe2e8813a01e
o Uses GetUserName to check for these strings
o currentuser
o sandbox
o honey
o vmware
o nepenthes
o snort
o andy
o roo
33.
Sazoora malware: Detecting the mouse
o If the sample can't detect mouse movement execution will
be slowed down
34.
Sazoora malware: Timing attacks
o Sazoora only
runs on 16, 17 or 18 of any month
Read more about Sazoora on our blog:
https://www.cyphort.com/blog/
sazoora-dissecting-bundle-
evasion-stealth/
35.
SmartFortress FakeAV malware: Hard Disk Identifiers
o FakeAV SmartFortress Trojan
o MD5: a2d4e451f84b74185ecba8e728b65fe3
o Hard disk identifiers often give
away the virtualization platform
o Checked with
o SetupDiGetClassDivs
o SetupDiGetEnumDeviceInfo
o SetupDiGetDeviceRegistryProperty
36.
SmartFortress FakeAV malware : Exotic Instruction Sets
• MMX is an Intel instruction set designed
for faster processing of graphical
applications
• Occationally used by malware as random
instructions
• Usually not supported by malware
emulators
37.
Recap: Types of Anti-sandboxing tricks
o Detecting virtualization : Not running in the VM
o Sleeping
o Delay loops
o Detecting hooks (user level | kernel level )
o GUI – prompting the user for action
o Running only on certain dates
o Detects Sandbox by time acceleration
o Killing analysis tools
o Checking Browser History, Running Apps, AD Domain memberhip
38.
Poll question
Which of the anti-sandboxing techniques below do you think is the most
popular among malware writers?
A - Detecting Virtual Machines
B - Delay loop execution
C - A and B equally
D - Sleeping
E - Anti-hooking
39.
Popularity of different anti-sandbox techniques
Source: Cyphort Labs
40.
Non traditional File Formats
o Another way to circumvent Sandbox detection:
Attack non-traditional platform: do not use a
PE32 executable..
o PDF, Excel, Word
o 64 bit Windows EXE malware
o Mac OSX malware
41.
Wrap up
o Harden the Sandbox against known
evasion techniques
o Use Multiple types of Sandboxes
o Use multiple techniques for malware
analysis
o Evaluate sandboxing tools against
known evasion techniques
42.
Q and A
Previous
MMW slides on
www.slideshare.net/
Cyphort/
User-mode agent – a software component is installed within the guest operating system and reports all user-based activity to the trace handler (think of this kind of like a keylogger). more specific application level behavior, can be detected and subverted, but can figure out exactly what they are doing.
Kernel-mode Patching – The kernel of the guest operating system is modified to accommodate tracing requirements (think of this kind of like a rootkit). very difficult to subvert, but the data is more generic, basic kernel operations like file,process, registry info, OS level info.
System emulation – A hardware emulator is modified to hook appropriate memory, disk IO functions and peripherals (etc.) and report activities (think of this as a hall of mirrors approach). Emulation approaches are great for more difficult operating systems (e.g. Android, SCADA systems, etc.)a kind of VM that emulates all hardware components in software including the memory, can put probes to analyze malware, allows memory taint analysis. Hard to map low level behaviors to something malicious. Cyphort can switch easily. Initially malware was not detecting QEMU as VirtualBox and VmWare but that has changed over time.