SlideShare a Scribd company logo

Sandbox detection: leak, abuse, test - Hacktivity 2015

Download as PPTX, PDF
Zoltan Balazs
Zoltan Balazs

Sandbox detection: leak, abuse, test - Hacktivity 2015

Technology
1 of 58
Sandbox detection: leak, abuse, test In cooperation with CrySyS lab, Budapest 2015
root@kali:~# whoami Zoltán Balázs
root@kali:~# whoami
root@kali:~# whoami I’m NOT a CEH Creator of the Zombie Browser Toolkit https://github.com/Z6543/ZombieBrowserPack Creator of the HWFW Bypass tool • Idea later(?) implemented by nation state attackers in Duqu 2.0 https://github.com/MRGEffitas/hwfwbypass Invented the idea of encrypted exploit delivery via Diffie- Hellman key exchange, to bypass exploit detection appliances • Recently implemented by Angler and Nuclear exploit kit developers
I love hacking
Fun “CYBER” game – win a beer Find one of the following words on the slides, or in a picture, and shout it • Cyberattack • Cyberbank • Cybereye • Cybershima • Cyberphobia • Cybercloud • Cybergeddon • Cyberwarrior • Cybercompliance • Cybercyber • Cyberhacker • CyberCISO • CyberBYOD
How may I help you? Are you writing a malware during pentest? Are you developing a new malware analysis sandbox? Are you analyzing malware and don’t know why it is not running on your sandbox? Are you testing malware analysis sandboxes, because you want to buy one? Are you bored and just want to watch a fun presentation?
Current malware analysis Static automated – malware is not started • Easy to bypass Dynamic automated – malware is started • This presentation is about this type of analysis Manual • Hard to keep up with daily 200 000 new samples • Analysis can take days, even weeks
This is not the sandbox I am talking about today
This is still not the sandbox I will talk about today
This is the sandbox I want to talk about Malware analysis sandbox Breach detection system A(dvanced) P(ersistent) T(hreats) detector Malware  ?????  alert/report @norsec0de
What is my problem with these super cool sandboxes? The problem is sometimes the marketing department price real value There are exceptions
New anti APT tools are no silver bullets http://bit.ly/1zZJkth
How much $ £ ¥ € does it costs? 10 000 USD - 350 000 USD + yearly maintenance up to 100 000 USD You can buy this “company car” for the same price:
Let’s meet the hero of the hour, Trevor the CISO at ACME Co.
The Trevor dilemma Trevor wants to protect the network against malware Vendor 1: “We detected the most 0-day exploits last year” Vendor 2: “We are the most expensive, so we are the best” Vendor 3: “We are the cheapest so you can be compliant, and save money” Vendor 4: “Come with us to the strip-club, we pay” Car Vendor 1: “The new model is out, what a nice company car”
What should Trevor do?
What about testing the sandbox? There are thousands of aspects of how Trevor can test a malware analysis sandbox Attackers pentesters deploy anti sandbox solutions One part of the test is to check anti anti sandbox solutions implemented in the sandbox • If a lame common malware can evade the dynamic analysis, the solution won’t protect Trevor against (advanced?) targeted attacks
Why attackers pentesters evade dynamic analysis via hiding in the shadows? Long engagement • The malware test doesn’t get busted on day one Code reuse in new engagements • You don’t have to reinvent the wheel every time for a new project
What’s wrong with the current sandbox detection techniques? Too much focus on virtualization • but handy in targeted attacks! More and more legitimate targets in virtualized environments • but not the CEO on the road Methods already known and flagged as malicious • VmWare IO ports Methods already known, defeated and flagged • ProductID
Workstation disguised as a VM
VMWare: SELECT SerialNumber FROM Win32_Bios VirtualBox: Select DeviceID from Win32_PnPEntity Virtualbox detection technique defeated by Tsugumi from VBoxHardenedLoader How Hacking Team malware evades detection when #YourBoySerge is not around
No live demo, Serge is not around to help
How to interpret results Both “probability of busted” and “sandbox detection effectiveness” is measured Good sandbox detection effectiveness, easily flagged as malicious Normal effectiveness, possible flagged Hard to get flagged as malicious not effective
Screen resolution Pro tip Can be used in exploit kits, before exploit How many people browse the web with 800*600, or even 1024*768? Are these people your target? JavaScript screen.width, screen.height works in almost all browser, except Tor browser
Screen resolution 43%: 1024x768 – this is a problem 36%: 800x600 – this is an even bigger problem 640x480 – this is just LOL 1024x697 1280x800 1280x960 1680x1050 1916x1066
Installed software Python 2.5.1 Tracer PHP 5.3.8 Python winappdbg 1 4 Debugging Tools for Windows x86 Python winappdbg 1 4 Strawberry Perl VMware Tools VEware Tools
Running processes on sandboxes C:SandCastletools • FakeServer.exe • FakeHTTPServerFakeHTTPServer.exe • BehaviorDumper.exe C:Python27python.exe C:tslRaptorClient.exe C:mapp_start_foldersnowball.exe > the sample renamed C:toolsdumper.exe C:VxStreamStaticStreamMgr.exe
CPU type AMD Opteron tm Processor 3365 – server AMD Phenom tm 9550 Quad Core Processor – server Intel Pentium III Xeon processor – server Intel R Xeon R CPU E5 2620 0 2 00GHz - server Intel Pentium Pro processor - ??? Intel Pentium II processor - ??? Intel R Atom TM CPU D525 1 80GHz – desktop Intel R Core TM 2 Duo CPU T7700 2 40GHz – desktop
CPU 2 Most of the time: • Number of Cores 1 Rarely seen in sandboxes: • Number of Cores 2 • Number of Cores 4 (Sandbox in Ukraine)
Computer system – which one can be your real target (e.g. CEO) Bochs VirtualBox VMware Virtual Platform KVM X7SPT DF – Supermicro Server Platform MYTUAL MYVTUAL Platform OptiPlex 990 – Dell desktop 4287A72 – Thinkpad P5Q SE – Asus desktop 68% Virtualized, 18% desktop, 14% server
Mouse 80% no mouse movement 20% mouse moved X:0 Y:0 X:400 Y:300 X:600 Y:600
Memory size 133 730 304 133 734 400 267 894 784 267 952 128 536 330 240 536 403 968 804 765 696 804 818 944 1 073 201 152 1 073 274 880 1 073 328 128 3 219 877 888 4 293 337 088 4 294 500 352
Machine name Antony PC C2F3F0B206C14E9 CWS01_23 David PC GOAT WXPSP2B GT FDCCD9A7405D HOME HOME OFF D5F0AC Klone PC CyberEye Machine name as a white-list can be powerful PSPUBWS PC PUBLIC EA8367E7 RON AC13BF686B1 ROOT D SANDBOXA TESPC0 test PC USER201 USERDOMAIN vwinxp maltest WILBERT SC1317
Real “user” desktop, busy working Screenshots from torrent Hacked Team c.pozziscreenshots
USB Flash Drive Usually: • no pendrive Rarely seen: • 128MB USB2 0FlashDrive USB Device • IPMI Virtual CDROM USB Device • Kingston DataTraveler 2 0 USB Device
Printer The only printers in sandboxes: • Default Windows printers • Adobe • Office (Sendnote)
Not effective Detect usermode hooking: • DeleteFileW • RegOpenKeyExA Connect to local port 445 Click on messagebox BIOS version
Recently modified/created files Based on the folder you are looking at (Desktop, Documents, Appdata, Temp, …) • it is usually less than 3 on sandboxes • a lot more than 3 on desktops Slow 
Client IP and reverse DNS See http://avtracker.info/ Magnitude exploit kit: • “The code searches the "banlist" database table for the victim's source IP address. This table contains about 1,400 IP range records belonging to several high profile companies” • Banbyhostname() searches for the presence of the following words in the victim's hostname: "whois", "proxy", "yahoo", "opera", ".mil", ".gov", "google", "demon", "localhost", "dedicated", "hosting", "leaseweb", "cisco" and "bot". • https://www.trustwave.com/Resources/SpiderLabs Blog
Where to implement these sandbox detection methods? 1. Automated decision, in the malware • Pro – no info leak about C&C • Con – not everything can be implemented here 2. Automated, on the C&C server • Pro – lot more possibilities • Con – C&C server info leaked 3. Manually, info from the C&C server • Pro – powerful e.g. analyze desktop screenshot • Con – expensive Best approach • Use all three layers, stop execution at first detection
Know your victim Are you attacking desktop users but malware starts on XEON processors? Are you targeting a CEO and runs on Pentium II with 128 MByte memory? Desktop user having no printers installed? Desktop user never used USB flash drives? OS uptime is 1 minute?
The hard problems – Part 1 Is sleep function simulated? • No (89%) • Sleep for a certain amount of time • Reach timeout limit (5 minutes) • PROFIT • Yes (11%) • Easy to detect • Detect it and quit • PROFIT Solution: • Continuous sandboxing
The hard problems – Part 2 Network connection Is there a HTTP connection to the Internet (directly or proxy)? • Yes • Leak some data – e.g. multiple screenshots • Decide on server side • PROFIT • No • If you don’t target airgapped machines, it’s safe to quit • PROFIT • There is one, but it is emulated • Detect it by downloading a known object • Calculate hash • Compare • PROFIT
My lessons learned Creating an executable which runs on every malware analysis sandbox is a lot harder than expected • Even when the sample runs on WinXPSp2 – Win8.1 x64 Size limitations • free sandboxes 5 Mbyte Sandbox does not follow child process • sometimes Only one thread executed • was this a manual analysis? Unknown crash • For unknown reason
Lessons learned Malware writers (penetration testers) • It is incredibly easy to evade static and dynamic analysis • Manual analysis is hard (or impossible) to defeat • But possible with lot of samples and new tricks on the long run! Sandbox developers • If you are selling your sandbox for $$$, try harder • Dump a real user workstation and keep updated with user behavior • It is hard to do it right, but easy to do it wrong Blue team/defensive side • Test your sandbox before buying • Customize your sandbox to match your desktops • Don’t trust the marketing/sales department • There are some good sandboxes out there!
After a good test, Trevor can choose wisely
Code release now?
The basics https://github.com/hfiref0x/VMDE https://github.com/hfiref0x/VBoxHardenedLoader http://www.kernelmode.info/forum/viewtopic.php?f=11& t=1911 http://blog.michaelboman.org/2014/01/making virtualbox nearly undetectable.html https://github.com/wmetcalf/buildcuckoo trusty http://avtracker.info/ http://jbremer.org/vmcloak2/ https://www.youtube.com/watch?v=Ez_Gl5D_BV0 https://github.com/Yara- Rules/rules/blob/master/antidebug.yar
Hack the planet! One computer at a time … https://github.com/MRGEffitas/Sandbox_tester zoltan.balazs@mrg-effitas.com https://hu.linkedin.com/in/zbalazs Twitter – @zh4ck www.slideshare.net/bz98 Greetz to @CrySySLab, @SpamAndHex JumpESPJump.blogspot.com

Recommended

DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Zoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)Zoltan Balazs
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 

Recommended

DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Zoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)Zoltan Balazs
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometPich Pra Tna
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopDefcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopPriyanka Aash
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slidesPacSecJP
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzDeepanshu Gajbhiye
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPrasad Pawar
 
MIPS-X
MIPS-XMIPS-X
MIPS-XZoltan Balazs
 
Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Duo Security
 
0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE testBalazs Bucsay
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalPacSecJP
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPPich Pra Tna
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecPacSecJP
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Juniper Networks
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 

More Related Content

What's hot

Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometPich Pra Tna
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopDefcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopPriyanka Aash
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slidesPacSecJP
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzDeepanshu Gajbhiye
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPrasad Pawar
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Duo Security
 
0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE testBalazs Bucsay
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalPacSecJP
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPPich Pra Tna
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecPacSecJP
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 

What's hot (20)

Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkComet
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopDefcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass Protocol
 
MIPS-X
MIPS-XMIPS-X
MIPS-X
 
Fuzzing
FuzzingFuzzing
Fuzzing
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-room
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a House
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakes
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
 
0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIP
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 

Similar to Sandbox detection: leak, abuse, test - Hacktivity 2015

Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Juniper Networks
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
LST Toolkit: Exfiltration Over Sound, Light, Touch
LST Toolkit: Exfiltration Over Sound, Light, TouchLST Toolkit: Exfiltration Over Sound, Light, Touch
LST Toolkit: Exfiltration Over Sound, Light, TouchDimitry Snezhkov
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botGroup of company MUK
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devicesNikhil Mittal
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012Zoltan Balazs
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith Jones, PhD
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERNeotys
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsJustin Warner
 
Adversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the ProsAdversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the Prossixdub
 
Hacklu2011 tricaud
Hacklu2011 tricaudHacklu2011 tricaud
Hacklu2011 tricaudstricaud
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 
Sensepost assessment automation
Sensepost assessment automationSensepost assessment automation
Sensepost assessment automationSensePost
 

Similar to Sandbox detection: leak, abuse, test - Hacktivity 2015 (20)

Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
LST Toolkit: Exfiltration Over Sound, Light, Touch
LST Toolkit: Exfiltration Over Sound, Light, TouchLST Toolkit: Exfiltration Over Sound, Light, Touch
LST Toolkit: Exfiltration Over Sound, Light, Touch
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving bot
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
 
Hacktivityonly 121013141039-phpapp02
Hacktivityonly 121013141039-phpapp02Hacktivityonly 121013141039-phpapp02
Hacktivityonly 121013141039-phpapp02
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysis
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLER
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
 
Adversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the ProsAdversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the Pros
 
Hacklu2011 tricaud
Hacklu2011 tricaudHacklu2011 tricaud
Hacklu2011 tricaud
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS Consolidated
 
Sensepost assessment automation
Sensepost assessment automationSensepost assessment automation
Sensepost assessment automation
 

More from Zoltan Balazs

[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchainZoltan Balazs
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a matchZoltan Balazs
 
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveZoltan Balazs
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitlandZoltan Balazs
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking Zoltan Balazs
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitőZoltan Balazs
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’sZoltan Balazs
 

More from Zoltan Balazs (11)

[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain
 
MLSEC 2020
MLSEC 2020MLSEC 2020
MLSEC 2020
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a match
 
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a five
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Sandboxes
SandboxesSandboxes
Sandboxes
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

Sandbox detection: leak, abuse, test - Hacktivity 2015

  • 1. Sandbox detection: leak, abuse, test In cooperation with CrySyS lab, Budapest 2015
  • 4. root@kali:~# whoami I’m NOT a CEH Creator of the Zombie Browser Toolkit https://github.com/Z6543/ZombieBrowserPack Creator of the HWFW Bypass tool • Idea later(?) implemented by nation state attackers in Duqu 2.0 https://github.com/MRGEffitas/hwfwbypass Invented the idea of encrypted exploit delivery via Diffie- Hellman key exchange, to bypass exploit detection appliances • Recently implemented by Angler and Nuclear exploit kit developers
  • 6. Fun “CYBER” game – win a beer Find one of the following words on the slides, or in a picture, and shout it • Cyberattack • Cyberbank • Cybereye • Cybershima • Cyberphobia • Cybercloud • Cybergeddon • Cyberwarrior • Cybercompliance • Cybercyber • Cyberhacker • CyberCISO • CyberBYOD
  • 7. How may I help you? Are you writing a malware during pentest? Are you developing a new malware analysis sandbox? Are you analyzing malware and don’t know why it is not running on your sandbox? Are you testing malware analysis sandboxes, because you want to buy one? Are you bored and just want to watch a fun presentation?
  • 8. Current malware analysis Static automated – malware is not started • Easy to bypass Dynamic automated – malware is started • This presentation is about this type of analysis Manual • Hard to keep up with daily 200 000 new samples • Analysis can take days, even weeks
  • 9. This is not the sandbox I am talking about today
  • 10. This is still not the sandbox I will talk about today
  • 11. This is the sandbox I want to talk about Malware analysis sandbox Breach detection system A(dvanced) P(ersistent) T(hreats) detector Malware  ?????  alert/report @norsec0de
  • 12. What is my problem with these super cool sandboxes? The problem is sometimes the marketing department price real value There are exceptions
  • 13. New anti APT tools are no silver bullets http://bit.ly/1zZJkth
  • 14. How much $ £ ¥ € does it costs? 10 000 USD - 350 000 USD + yearly maintenance up to 100 000 USD You can buy this “company car” for the same price:
  • 15. Let’s meet the hero of the hour, Trevor the CISO at ACME Co.
  • 16. The Trevor dilemma Trevor wants to protect the network against malware Vendor 1: “We detected the most 0-day exploits last year” Vendor 2: “We are the most expensive, so we are the best” Vendor 3: “We are the cheapest so you can be compliant, and save money” Vendor 4: “Come with us to the strip-club, we pay” Car Vendor 1: “The new model is out, what a nice company car”
  • 18. What about testing the sandbox? There are thousands of aspects of how Trevor can test a malware analysis sandbox Attackers pentesters deploy anti sandbox solutions One part of the test is to check anti anti sandbox solutions implemented in the sandbox • If a lame common malware can evade the dynamic analysis, the solution won’t protect Trevor against (advanced?) targeted attacks
  • 19. Why attackers pentesters evade dynamic analysis via hiding in the shadows? Long engagement • The malware test doesn’t get busted on day one Code reuse in new engagements • You don’t have to reinvent the wheel every time for a new project
  • 20.
  • 21.
  • 22.
  • 23. What’s wrong with the current sandbox detection techniques? Too much focus on virtualization • but handy in targeted attacks! More and more legitimate targets in virtualized environments • but not the CEO on the road Methods already known and flagged as malicious • VmWare IO ports Methods already known, defeated and flagged • ProductID
  • 25.
  • 26. VMWare: SELECT SerialNumber FROM Win32_Bios VirtualBox: Select DeviceID from Win32_PnPEntity Virtualbox detection technique defeated by Tsugumi from VBoxHardenedLoader How Hacking Team malware evades detection when #YourBoySerge is not around
  • 27.
  • 28. No live demo, Serge is not around to help
  • 29. How to interpret results Both “probability of busted” and “sandbox detection effectiveness” is measured Good sandbox detection effectiveness, easily flagged as malicious Normal effectiveness, possible flagged Hard to get flagged as malicious not effective
  • 30. Screen resolution Pro tip Can be used in exploit kits, before exploit How many people browse the web with 800*600, or even 1024*768? Are these people your target? JavaScript screen.width, screen.height works in almost all browser, except Tor browser
  • 31. Screen resolution 43%: 1024x768 – this is a problem 36%: 800x600 – this is an even bigger problem 640x480 – this is just LOL 1024x697 1280x800 1280x960 1680x1050 1916x1066
  • 32. Installed software Python 2.5.1 Tracer PHP 5.3.8 Python winappdbg 1 4 Debugging Tools for Windows x86 Python winappdbg 1 4 Strawberry Perl VMware Tools VEware Tools
  • 33. Running processes on sandboxes C:SandCastletools • FakeServer.exe • FakeHTTPServerFakeHTTPServer.exe • BehaviorDumper.exe C:Python27python.exe C:tslRaptorClient.exe C:mapp_start_foldersnowball.exe > the sample renamed C:toolsdumper.exe C:VxStreamStaticStreamMgr.exe
  • 34. CPU type AMD Opteron tm Processor 3365 – server AMD Phenom tm 9550 Quad Core Processor – server Intel Pentium III Xeon processor – server Intel R Xeon R CPU E5 2620 0 2 00GHz - server Intel Pentium Pro processor - ??? Intel Pentium II processor - ??? Intel R Atom TM CPU D525 1 80GHz – desktop Intel R Core TM 2 Duo CPU T7700 2 40GHz – desktop
  • 35. CPU 2 Most of the time: • Number of Cores 1 Rarely seen in sandboxes: • Number of Cores 2 • Number of Cores 4 (Sandbox in Ukraine)
  • 36. Computer system – which one can be your real target (e.g. CEO) Bochs VirtualBox VMware Virtual Platform KVM X7SPT DF – Supermicro Server Platform MYTUAL MYVTUAL Platform OptiPlex 990 – Dell desktop 4287A72 – Thinkpad P5Q SE – Asus desktop 68% Virtualized, 18% desktop, 14% server
  • 37. Mouse 80% no mouse movement 20% mouse moved X:0 Y:0 X:400 Y:300 X:600 Y:600
  • 38. Memory size 133 730 304 133 734 400 267 894 784 267 952 128 536 330 240 536 403 968 804 765 696 804 818 944 1 073 201 152 1 073 274 880 1 073 328 128 3 219 877 888 4 293 337 088 4 294 500 352
  • 39. Machine name Antony PC C2F3F0B206C14E9 CWS01_23 David PC GOAT WXPSP2B GT FDCCD9A7405D HOME HOME OFF D5F0AC Klone PC CyberEye Machine name as a white-list can be powerful PSPUBWS PC PUBLIC EA8367E7 RON AC13BF686B1 ROOT D SANDBOXA TESPC0 test PC USER201 USERDOMAIN vwinxp maltest WILBERT SC1317
  • 40.
  • 41.
  • 42.
  • 43. Real “user” desktop, busy working Screenshots from torrent Hacked Team c.pozziscreenshots
  • 44. USB Flash Drive Usually: • no pendrive Rarely seen: • 128MB USB2 0FlashDrive USB Device • IPMI Virtual CDROM USB Device • Kingston DataTraveler 2 0 USB Device
  • 45. Printer The only printers in sandboxes: • Default Windows printers • Adobe • Office (Sendnote)
  • 46. Not effective Detect usermode hooking: • DeleteFileW • RegOpenKeyExA Connect to local port 445 Click on messagebox BIOS version
  • 47. Recently modified/created files Based on the folder you are looking at (Desktop, Documents, Appdata, Temp, …) • it is usually less than 3 on sandboxes • a lot more than 3 on desktops Slow 
  • 48. Client IP and reverse DNS See http://avtracker.info/ Magnitude exploit kit: • “The code searches the "banlist" database table for the victim's source IP address. This table contains about 1,400 IP range records belonging to several high profile companies” • Banbyhostname() searches for the presence of the following words in the victim's hostname: "whois", "proxy", "yahoo", "opera", ".mil", ".gov", "google", "demon", "localhost", "dedicated", "hosting", "leaseweb", "cisco" and "bot". • https://www.trustwave.com/Resources/SpiderLabs Blog
  • 49. Where to implement these sandbox detection methods? 1. Automated decision, in the malware • Pro – no info leak about C&C • Con – not everything can be implemented here 2. Automated, on the C&C server • Pro – lot more possibilities • Con – C&C server info leaked 3. Manually, info from the C&C server • Pro – powerful e.g. analyze desktop screenshot • Con – expensive Best approach • Use all three layers, stop execution at first detection
  • 50. Know your victim Are you attacking desktop users but malware starts on XEON processors? Are you targeting a CEO and runs on Pentium II with 128 MByte memory? Desktop user having no printers installed? Desktop user never used USB flash drives? OS uptime is 1 minute?
  • 51. The hard problems – Part 1 Is sleep function simulated? • No (89%) • Sleep for a certain amount of time • Reach timeout limit (5 minutes) • PROFIT • Yes (11%) • Easy to detect • Detect it and quit • PROFIT Solution: • Continuous sandboxing
  • 52. The hard problems – Part 2 Network connection Is there a HTTP connection to the Internet (directly or proxy)? • Yes • Leak some data – e.g. multiple screenshots • Decide on server side • PROFIT • No • If you don’t target airgapped machines, it’s safe to quit • PROFIT • There is one, but it is emulated • Detect it by downloading a known object • Calculate hash • Compare • PROFIT
  • 53. My lessons learned Creating an executable which runs on every malware analysis sandbox is a lot harder than expected • Even when the sample runs on WinXPSp2 – Win8.1 x64 Size limitations • free sandboxes 5 Mbyte Sandbox does not follow child process • sometimes Only one thread executed • was this a manual analysis? Unknown crash • For unknown reason
  • 54. Lessons learned Malware writers (penetration testers) • It is incredibly easy to evade static and dynamic analysis • Manual analysis is hard (or impossible) to defeat • But possible with lot of samples and new tricks on the long run! Sandbox developers • If you are selling your sandbox for $$$, try harder • Dump a real user workstation and keep updated with user behavior • It is hard to do it right, but easy to do it wrong Blue team/defensive side • Test your sandbox before buying • Customize your sandbox to match your desktops • Don’t trust the marketing/sales department • There are some good sandboxes out there!
  • 55. After a good test, Trevor can choose wisely
  • 57. The basics https://github.com/hfiref0x/VMDE https://github.com/hfiref0x/VBoxHardenedLoader http://www.kernelmode.info/forum/viewtopic.php?f=11& t=1911 http://blog.michaelboman.org/2014/01/making virtualbox nearly undetectable.html https://github.com/wmetcalf/buildcuckoo trusty http://avtracker.info/ http://jbremer.org/vmcloak2/ https://www.youtube.com/watch?v=Ez_Gl5D_BV0 https://github.com/Yara- Rules/rules/blob/master/antidebug.yar
  • 58. Hack the planet! One computer at a time … https://github.com/MRGEffitas/Sandbox_tester zoltan.balazs@mrg-effitas.com https://hu.linkedin.com/in/zbalazs Twitter – @zh4ck www.slideshare.net/bz98 Greetz to @CrySySLab, @SpamAndHex JumpESPJump.blogspot.com