1.
Anti-Sandbox
Malware tricks

2.
Your speakers today
Nick Bilogorskiy
@belogor
Director of Security Research
Shelendra Sharma
Product Marketing Director

3.
Agenda
o Introduction to Sandboxing
o How Malware breaks sandboxes
o Wrap-up and Q&A
CyphortLabsT-shirt

4.
Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data

5.
What is a sandbox
o Sandbox is a instrumented detonation
environment, where malware can be run
and observed, but will not cause harm to
the actual system.
o Sandboxes are used for dynamic
malware analysis and behavior based
detection
o Sandboxing is a NECESSARY but NOT
SUFFICIENT condition for effective
behavior detection

6.
Norman Sandbox
Anubis
JoeBox
Sandbox History
2003
2006
2007
ThreatExpert2008
Cuckoo2010

7.
What is a sandbox

8.
Methods of Analysis in Sandboxes
o User hooks - a software component is installed within the
guest OS and reports all user-based activity to the trace
handler (keylogger).
o Kernel hooks – The kernel of the guest OS is modified to
accommodate tracing requirements (rootkit).
o System emulation – A hardware emulator is modified to
hook appropriate memory, disk IO functions and
peripherals (etc.) and report activities

9.
Use of Sandboxes
1. Simplify malware research : show traces
2. Automated behavior based malware
detection : add analytics

10.
Breaking Sandboxes

11.
Anti-Sandboxing
o 1 Detecting Virtualization
o 2 Detecting presence of a live user (Turing test)
o 3 Detecting hooking or exploiting sandbox limitations
o Just like packers became effective to fight signature based AV,
evasion and armoring are bypassing rudimentary sandboxes

12.
How much malware can detect Virtual Machines
Source: Antiy Labs

13.
How much malware can detect Virtual Machines
Source: Qualys Labs

14.
o VMWare can be detected via Registry:
o Virtualbox can be detected via Registry:
HKLMHARDWAREDescriptionSystem "SystemBiosVersion"
HKLMSOFTWAREOracleVirtualBox Guest Additions
Detect Virtualization via Registry check

15.
PAFISH - (Paranoid Fish) - github.com/a0rtega/pafish

16.
Poll question
How many of the 5 sandboxes I mentioned earlier
(Cuckoo, GFI, JoeSandbox, Comodo, ThreatExpert) can be detected
by PAFISH (Paranoid Fish)?
None
1
2
3
4
All of them

17.
PAFISH detects all

18.
Detecting Virtualization
o Check if disk size is less than 50GB
Pafish code

19.
Detecting Virtualization
o Check if the
disk is called
“VBOX ”
Pafish code

20.
http://pastebin.com/u/waliedassar

21.
Detecting VMWare
o IO Virtualization, IN instruction

22.
Detecting Virtualization by Timing

23.
Redpill IDTR (Interrupt Descriptor Table Register)

24.
Detect Environment: MAC Address
o 00:05:69:xx:xx:xx VMware
o 00:0C:29:xx:xx:xx VMware
o 00:1C:14:xx:xx:xx VMware
o 00:50:56:xx:xx:xx VMware
o 00:15:5D:xx:xx:xx Hyper V
o 00:16:3e:xx:xx:xx Xen
Source: Paul Jung, Bypassing Sanboxes for fun

25.
Buy it – use a ready made anti-vm tool

26.
Detecting Virtualization: Problem
o Problem – a large portion of enterprise infrastructure is
virtualized now, so it would limit the malware effectiveness
if they avoid running on any virtual machine.
o Need to detect sandboxes, not the VM
o Detect the presence/absense of the user.

27.
Detecting User
o CAPTCHA is a possible way
o Ask user to click the mouse
o Wait for a certain action of
the user to execute (go to
Facebook, login to the bank)
o Perform malicious activity
upon reboot

28.
Sleep
o A popular strategy is to sleep or execute malicious code on
certain dates
o Most Analysis systems are built with timeouts and have
limits on how long they can wait, because they need to
analyze many files.
o Because sleeps can be detected and stripped, execute
various non-malicious code in lieu of sleep.

29.
Detecting hooks

30.
Ping Google
o Some sandboxes do not allow the malware to connect
outside to the internet, so a simple way to detect a sandbox
is just to verify internet connectivity

31.
Malware Example: Time Acceleration Detection
o Injector.akdd Trojan
MD5: 3bbb59afdf9bda4ffdc644d9d51c53e7
Implements 3 checks for hooking:
o GetTickCount
o GetSystemTimeAsFileTime
o NtQuerySystemTime
o If LESS than 998ms pass during
execution:
- Abort!

32.
Checking GetUserName
o Malware name: Ponmocup Trojan
o MD5: 27aa08d113034eae5565fe2e8813a01e
o Uses GetUserName to check for these strings
o currentuser
o sandbox
o honey
o vmware
o nepenthes
o snort
o andy
o roo

33.
Sazoora malware: Detecting the mouse
o If the sample can't detect mouse movement execution will
be slowed down

34.
Sazoora malware: Timing attacks
o Sazoora only
runs on 16, 17 or 18 of any month
Read more about Sazoora on our blog:
https://www.cyphort.com/blog/
sazoora-dissecting-bundle-
evasion-stealth/

35.
SmartFortress FakeAV malware: Hard Disk Identifiers
o FakeAV SmartFortress Trojan
o MD5: a2d4e451f84b74185ecba8e728b65fe3
o Hard disk identifiers often give
away the virtualization platform
o Checked with
o SetupDiGetClassDivs
o SetupDiGetEnumDeviceInfo
o SetupDiGetDeviceRegistryProperty

36.
SmartFortress FakeAV malware : Exotic Instruction Sets
• MMX is an Intel instruction set designed
for faster processing of graphical
applications
• Occationally used by malware as random
instructions
• Usually not supported by malware
emulators

37.
Recap: Types of Anti-sandboxing tricks
o Detecting virtualization : Not running in the VM
o Sleeping
o Delay loops
o Detecting hooks (user level | kernel level )
o GUI – prompting the user for action
o Running only on certain dates
o Detects Sandbox by time acceleration
o Killing analysis tools
o Checking Browser History, Running Apps, AD Domain memberhip

38.
Poll question
Which of the anti-sandboxing techniques below do you think is the most
popular among malware writers?
A - Detecting Virtual Machines
B - Delay loop execution
C - A and B equally
D - Sleeping
E - Anti-hooking

39.
Popularity of different anti-sandbox techniques
Source: Cyphort Labs

40.
Non traditional File Formats
o Another way to circumvent Sandbox detection:
Attack non-traditional platform: do not use a
PE32 executable..
o PDF, Excel, Word
o 64 bit Windows EXE malware
o Mac OSX malware

41.
Wrap up
o Harden the Sandbox against known
evasion techniques
o Use Multiple types of Sandboxes
o Use multiple techniques for malware
analysis
o Evaluate sandboxing tools against
known evasion techniques

42.
Q and A
Previous
MMW slides on
www.slideshare.net/
Cyphort/

43.
Thank You!
Twitter: @belogor