Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Anti-Sandbox Malware tricks
Your speakers today Nick Bilogorskiy @belogor Director of Security Research Shelendra Sharma Product Marketing Director
Agenda o Introduction to Sandboxing o How Malware breaks sandboxes o Wrap-up and Q&A CyphortLabsT-shirt
Threat Monitoring & Research team ________ 24X7 monitoring for malware events ________ Assist customers with their Forensi...
What is a sandbox o Sandbox is a instrumented detonation environment, where malware can be run and observed, but will not ...
Norman Sandbox Anubis JoeBox Sandbox History 2003 2006 2007 ThreatExpert2008 Cuckoo2010
What is a sandbox
Methods of Analysis in Sandboxes o User hooks - a software component is installed within the guest OS and reports all user...
Use of Sandboxes 1. Simplify malware research : show traces 2. Automated behavior based malware detection : add analytics
Breaking Sandboxes
Anti-Sandboxing o 1 Detecting Virtualization o 2 Detecting presence of a live user (Turing test) o 3 Detecting hooking or ...
How much malware can detect Virtual Machines Source: Antiy Labs
How much malware can detect Virtual Machines Source: Qualys Labs
o VMWare can be detected via Registry: o Virtualbox can be detected via Registry: HKLMHARDWAREDescriptionSystem "SystemBio...
PAFISH - (Paranoid Fish) - github.com/a0rtega/pafish
Poll question How many of the 5 sandboxes I mentioned earlier (Cuckoo, GFI, JoeSandbox, Comodo, ThreatExpert) can be detec...
PAFISH detects all
Detecting Virtualization o Check if disk size is less than 50GB Pafish code
Detecting Virtualization o Check if the disk is called “VBOX ” Pafish code
http://pastebin.com/u/waliedassar
Detecting VMWare o IO Virtualization, IN instruction
Detecting Virtualization by Timing
Redpill IDTR (Interrupt Descriptor Table Register)
Detect Environment: MAC Address o 00:05:69:xx:xx:xx VMware o 00:0C:29:xx:xx:xx VMware o 00:1C:14:xx:xx:xx VMware o 00:50:5...
Buy it – use a ready made anti-vm tool
Detecting Virtualization: Problem o Problem – a large portion of enterprise infrastructure is virtualized now, so it would...
Detecting User o CAPTCHA is a possible way o Ask user to click the mouse o Wait for a certain action of the user to execut...
Sleep o A popular strategy is to sleep or execute malicious code on certain dates o Most Analysis systems are built with t...
Detecting hooks
Ping Google o Some sandboxes do not allow the malware to connect outside to the internet, so a simple way to detect a sand...
Malware Example: Time Acceleration Detection o Injector.akdd Trojan MD5: 3bbb59afdf9bda4ffdc644d9d51c53e7 Implements 3 che...
Checking GetUserName o Malware name: Ponmocup Trojan o MD5: 27aa08d113034eae5565fe2e8813a01e o Uses GetUserName to check f...
Sazoora malware: Detecting the mouse o If the sample can't detect mouse movement execution will be slowed down
Sazoora malware: Timing attacks o Sazoora only runs on 16, 17 or 18 of any month Read more about Sazoora on our blog: http...
SmartFortress FakeAV malware: Hard Disk Identifiers o FakeAV SmartFortress Trojan o MD5: a2d4e451f84b74185ecba8e728b65fe3 ...
SmartFortress FakeAV malware : Exotic Instruction Sets • MMX is an Intel instruction set designed for faster processing of...
Recap: Types of Anti-sandboxing tricks o Detecting virtualization : Not running in the VM o Sleeping o Delay loops o Detec...
Poll question Which of the anti-sandboxing techniques below do you think is the most popular among malware writers? A - De...
Popularity of different anti-sandbox techniques Source: Cyphort Labs
Non traditional File Formats o Another way to circumvent Sandbox detection: Attack non-traditional platform: do not use a ...
Wrap up o Harden the Sandbox against known evasion techniques o Use Multiple types of Sandboxes o Use multiple techniques ...
Q and A Previous MMW slides on www.slideshare.net/ Cyphort/
Thank You! Twitter: @belogor
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox Techniques
Upcoming SlideShare
Loading in …5
×

MMW Anti-Sandbox Techniques

1,942 views

Published on

Malware writers are well aware of sandboxing, a popular way to detect brand new unknown malware by its behavior, and make code that infects the intended victim but has no malicious behavior in a sandbox. This MMW webinar demos specific ways how malware detects and hides from sandboxes including environmental check, stalling code, sleeps, hook detection and click triggers.

Published in: Technology
no profile picture user

  • Be the first to comment

MMW Anti-Sandbox Techniques

  1. 1. Anti-Sandbox Malware tricks
  2. 2. Your speakers today Nick Bilogorskiy @belogor Director of Security Research Shelendra Sharma Product Marketing Director
  3. 3. Agenda o Introduction to Sandboxing o How Malware breaks sandboxes o Wrap-up and Q&A CyphortLabsT-shirt
  4. 4. Threat Monitoring & Research team ________ 24X7 monitoring for malware events ________ Assist customers with their Forensics and Incident Response We enhance malware detection accuracy ________ False positives/negatives ________ Deep-dive research We work with the security ecosystem ________ Contribute to and learn from malware KB ________ Best of 3rd Party threat data
  5. 5. What is a sandbox o Sandbox is a instrumented detonation environment, where malware can be run and observed, but will not cause harm to the actual system. o Sandboxes are used for dynamic malware analysis and behavior based detection o Sandboxing is a NECESSARY but NOT SUFFICIENT condition for effective behavior detection
  6. 6. Norman Sandbox Anubis JoeBox Sandbox History 2003 2006 2007 ThreatExpert2008 Cuckoo2010
  7. 7. What is a sandbox
  8. 8. Methods of Analysis in Sandboxes o User hooks - a software component is installed within the guest OS and reports all user-based activity to the trace handler (keylogger). o Kernel hooks – The kernel of the guest OS is modified to accommodate tracing requirements (rootkit). o System emulation – A hardware emulator is modified to hook appropriate memory, disk IO functions and peripherals (etc.) and report activities
  9. 9. Use of Sandboxes 1. Simplify malware research : show traces 2. Automated behavior based malware detection : add analytics
  10. 10. Breaking Sandboxes
  11. 11. Anti-Sandboxing o 1 Detecting Virtualization o 2 Detecting presence of a live user (Turing test) o 3 Detecting hooking or exploiting sandbox limitations o Just like packers became effective to fight signature based AV, evasion and armoring are bypassing rudimentary sandboxes
  12. 12. How much malware can detect Virtual Machines Source: Antiy Labs
  13. 13. How much malware can detect Virtual Machines Source: Qualys Labs
  14. 14. o VMWare can be detected via Registry: o Virtualbox can be detected via Registry: HKLMHARDWAREDescriptionSystem "SystemBiosVersion" HKLMSOFTWAREOracleVirtualBox Guest Additions Detect Virtualization via Registry check
  15. 15. PAFISH - (Paranoid Fish) - github.com/a0rtega/pafish
  16. 16. Poll question How many of the 5 sandboxes I mentioned earlier (Cuckoo, GFI, JoeSandbox, Comodo, ThreatExpert) can be detected by PAFISH (Paranoid Fish)? None 1 2 3 4 All of them
  17. 17. PAFISH detects all
  18. 18. Detecting Virtualization o Check if disk size is less than 50GB Pafish code
  19. 19. Detecting Virtualization o Check if the disk is called “VBOX ” Pafish code
  20. 20. http://pastebin.com/u/waliedassar
  21. 21. Detecting VMWare o IO Virtualization, IN instruction
  22. 22. Detecting Virtualization by Timing
  23. 23. Redpill IDTR (Interrupt Descriptor Table Register)
  24. 24. Detect Environment: MAC Address o 00:05:69:xx:xx:xx VMware o 00:0C:29:xx:xx:xx VMware o 00:1C:14:xx:xx:xx VMware o 00:50:56:xx:xx:xx VMware o 00:15:5D:xx:xx:xx Hyper V o 00:16:3e:xx:xx:xx Xen Source: Paul Jung, Bypassing Sanboxes for fun
  25. 25. Buy it – use a ready made anti-vm tool
  26. 26. Detecting Virtualization: Problem o Problem – a large portion of enterprise infrastructure is virtualized now, so it would limit the malware effectiveness if they avoid running on any virtual machine. o Need to detect sandboxes, not the VM o Detect the presence/absense of the user.
  27. 27. Detecting User o CAPTCHA is a possible way o Ask user to click the mouse o Wait for a certain action of the user to execute (go to Facebook, login to the bank) o Perform malicious activity upon reboot
  28. 28. Sleep o A popular strategy is to sleep or execute malicious code on certain dates o Most Analysis systems are built with timeouts and have limits on how long they can wait, because they need to analyze many files. o Because sleeps can be detected and stripped, execute various non-malicious code in lieu of sleep.
  29. 29. Detecting hooks
  30. 30. Ping Google o Some sandboxes do not allow the malware to connect outside to the internet, so a simple way to detect a sandbox is just to verify internet connectivity
  31. 31. Malware Example: Time Acceleration Detection o Injector.akdd Trojan MD5: 3bbb59afdf9bda4ffdc644d9d51c53e7 Implements 3 checks for hooking: o GetTickCount o GetSystemTimeAsFileTime o NtQuerySystemTime o If LESS than 998ms pass during execution: - Abort!
  32. 32. Checking GetUserName o Malware name: Ponmocup Trojan o MD5: 27aa08d113034eae5565fe2e8813a01e o Uses GetUserName to check for these strings o currentuser o sandbox o honey o vmware o nepenthes o snort o andy o roo
  33. 33. Sazoora malware: Detecting the mouse o If the sample can't detect mouse movement execution will be slowed down
  34. 34. Sazoora malware: Timing attacks o Sazoora only runs on 16, 17 or 18 of any month Read more about Sazoora on our blog: https://www.cyphort.com/blog/ sazoora-dissecting-bundle- evasion-stealth/
  35. 35. SmartFortress FakeAV malware: Hard Disk Identifiers o FakeAV SmartFortress Trojan o MD5: a2d4e451f84b74185ecba8e728b65fe3 o Hard disk identifiers often give away the virtualization platform o Checked with o SetupDiGetClassDivs o SetupDiGetEnumDeviceInfo o SetupDiGetDeviceRegistryProperty
  36. 36. SmartFortress FakeAV malware : Exotic Instruction Sets • MMX is an Intel instruction set designed for faster processing of graphical applications • Occationally used by malware as random instructions • Usually not supported by malware emulators
  37. 37. Recap: Types of Anti-sandboxing tricks o Detecting virtualization : Not running in the VM o Sleeping o Delay loops o Detecting hooks (user level | kernel level ) o GUI – prompting the user for action o Running only on certain dates o Detects Sandbox by time acceleration o Killing analysis tools o Checking Browser History, Running Apps, AD Domain memberhip
  38. 38. Poll question Which of the anti-sandboxing techniques below do you think is the most popular among malware writers? A - Detecting Virtual Machines B - Delay loop execution C - A and B equally D - Sleeping E - Anti-hooking
  39. 39. Popularity of different anti-sandbox techniques Source: Cyphort Labs
  40. 40. Non traditional File Formats o Another way to circumvent Sandbox detection: Attack non-traditional platform: do not use a PE32 executable.. o PDF, Excel, Word o 64 bit Windows EXE malware o Mac OSX malware
  41. 41. Wrap up o Harden the Sandbox against known evasion techniques o Use Multiple types of Sandboxes o Use multiple techniques for malware analysis o Evaluate sandboxing tools against known evasion techniques
  42. 42. Q and A Previous MMW slides on www.slideshare.net/ Cyphort/
  43. 43. Thank You! Twitter: @belogor

×