SlideShare a Scribd company logo

Freeze Drying for Capturing Environment-Sensitive Malware Alive

FFRI, Inc.
FFRI, Inc.

We propose a set of techniques for "freeze drying" malware and restoring the captured malware to enable live process migration. Our system can capture environment-sensitive malware in-process and run it in an environment other than the infected host. Sophisticated malware, such as Citadel and ZeuS/GameOver, are armed with anti-analysis techniques to prevent running except on an infected host. These malwares detect the execution environment and do not engage in malicious behavior when the current host differs from the infected host. We developed a malware capture system called Sweetspot that can capture malware in-process by using process live migration and mimicking the infected host's environment on the analyzer by means of system call proxies. In addition, Sweetspot can serve as a honeypot and provide dummy data when the malware requests sensitive information. In briefings, we will demonstrate freeze-drying and instant dynamic analysis of real malware.

Technology
1 of 52
Download to read offline
FFRI,Inc. 1 Black Hat Europe 2014 Freeze Drying for Capturing Environment-Sensitive Malware Alive FFRI, Inc. http://www.ffri.jp Yosuke Chubachi Ver 2.00.01
FFRI,Inc. Contents • Background • Idea – Malware migration system for capturing malware alive • Challenges – Process migration – Anti-‐‑‒anti-‐‑‒sandbox arming • Implementation – Overview – IA32 CPU Emulator – Process migration using process-‐‑‒level sandbox – API Proxies for faking an artifact • Conclusions 2
FFRI,Inc. Background • Sophisticated malware arms many anti-‐‑‒ analyze techniques • using targeted attacks, cyber espionages, banking malware • First, we need protection • Second, we are curious about true intention 3
FFRI,Inc. Case study: Citadel • Some citadel detects the execution environment and do not engage in malicious behavior when the current host differs from the infected host[1] – To avoid behavior-‐‑‒based malware detection(like sandbox analysis) • Showing 2 examples – Host-‐‑‒fingerprinting – VM/Sandbox detection 4
FFRI,Inc. Host-fingerprinting • Embedding infected hostʼ’s unique value into execution binary 5 Citadel Unpacker Malicious code Self-rewriting when original malware execution Environment-sensitive Citade l Unpacker Malicious code with host unique value Different signature pattern
FFRI,Inc. Host-fingerprinting(cont’d) • Getting GUID on system drive using the GetVolumeNameForVolumeMountPoint() • Comparing running hostʼ’s GUID value and embedded infected hostʼ’s value • Process executes malicious code if GUID values are consistent 6 Infected host’s GUID(packed) Unpacked GUID Format: {XXXXXXXX-XXXX-XXXX-XXXXXXXX} Unpack Environment-sensitive Citade l Unpacker Malicious code with host unique value
FFRI,Inc. VM/Sandbox detection • Checking processʼ’s product name – like ”*vmware*”, ”*virtualbox” • Scanning specific files and devices – C:popupkiller.exe – C:stimulator.exe – C:TOOLSexecute.exe – .NPF_̲NdisWanIp – .HGFS – .vmci – .VBoxGuest 7
FFRI,Inc. Citadel behavior of host/environment inconsistency • For example: – Process termination – Running fake(or harmless) code 8
FFRI,Inc. Citadel runtime activities 9 Initialization Scouting Malicious Behavior Memory Persistent unpack storage Environment-awareness Network Host fingerprinting Malicious code execution Code injection Connecting CC server Unauthorized Access
FFRI,Inc. • I assume that scouting code carry out before main malicious routine 10 Initialization (unpack) Anti-analyzing malicious routine Not really matter A serious matter
FFRI,Inc. Idea • Security analyst or incident handler concentrate malicious activity observation if he migrate malware process from infected host to analyzing environment( or honeypot) when anti-‐‑‒analyzing behavior 11 Malware Malware End-user’s Host Analyzing Environment migration
FFRI,Inc. Use Case Ⅰ: Malware live capturing • End-‐‑‒users execute suspicious executable files anyway • Capturing system will suspend program if to detect anti-‐‑‒analyzing behavior • Malware analysts may observe to concentrate malicious activities 12 Initialization Anti-analyzing malicious routine End-user’s Host Analyzing Environment
FFRI,Inc. Use Case Ⅱ: Honeypot • Faking an artifact of the target host – To deceive cyber espionage malware 13 Brokering Resource Request End-user’s Host Malware Dummy Information Environmental Artifacts Analyzing Environment Sensitive Information Environmental Artifacts
FFRI,Inc. Challenges Ⅰ PROCESS MIGRATION 14
FFRI,Inc. Challenges 1. Process migration is very difficult (well-‐‑‒known) – Needs to migrate execution contexts, memory contexts, persistent contexts and related kernel objects – Environment sensitivity 15 user-space kernel-space Host A Target Process Runtime Libraries Runtime’ Libraries’ Host B FILE HEAP SOCK Target Process’ Memory Context ’ Execution Context ’ Memory Context Execution Context Kernel Objects Entities FILE? HEAP? SOCK? Migration
FFRI,Inc. Off-topic: Virtual Machine migration • VM migration is a practical way of process migration between hosts 16 Target Process Host on VM Target Process Host on VM VMM(Host A ) VMM(Host B )
FFRI,Inc. VM migration is too much larger • Too many resources are migrated for malware analyzing • VM solution forces additional system to end-‐‑‒ users and employer – Increasing complexity, Maintainability and cost 17
FFRI,Inc. Our solution: Using process-level sandbox • CPU emulator-‐‑‒based sandbox is convenient for process migration – Grubbed all contexts – User-‐‑‒mode emulator virtualize process related kernel objects 18
FFRI,Inc. CPU emulator-based sandbox 19 Target Process Memory Context Execution Context Runtime Libraries FILE HEAP user-space kernel-space Kernel Objects Entities Bare-metal Host Execution Context user-space kernel-space Target Process Memory Context Runtime Libraries (Virtualized) Runtime Libraries FILE HEAP Sandbox Kernel Objects Entities (virtualized) Bare-metal Host
FFRI,Inc. Process migration using CPU emulator-based sandbox 20 Target’ Process Memory Context ’ FILE’ HEAP’ Host B Migration user-space kernel-space Target Process Memory Context Runtime Libraries (Virtualized) FILE HEAP Host A Runtime Libraries Sandbox Kernel Objects Entities (virtualized) Execution Context user-space kernel-space Runtime Libraries Sandbox Runtime Libraries (Virtualized) Execution Context ’
FFRI,Inc. Malware freeze-drying • Sandbox suspends target program when a trigger event occurred • A suspended trigger is anti-‐‑‒analyzing behavior[2] 21 user-space kernel-space Target Process Memory Context Runtime Libraries (Virtualized) Runtime Libraries FILE HEAP Sandbox Kernel Objects Entities (virtualized) Execution Context Serialize Packed Living Malware
FFRI,Inc. Live malware defrosting • Sandbox resumed packed living malware • Reconstructing address gaps 22 user-space kernel-space Living Malware Memory Context Runtime Libraries Runtime Libraries FILE HEAP Sandbox Kernel Objects Entities Execution Context De-serialize Packed Living Malware
FFRI,Inc. But… • Migrated malware will probably executes anti-‐‑‒analyzing(anti-‐‑‒sandbox) continuously • The system needs anti-‐‑‒anti-‐‑‒sandbox arming 23
FFRI,Inc. Challenges(updated) 1. Process migration is very difficult →Using CPU emulator-‐‑‒based sandbox 2. Arming against anti-‐‑‒sandbox 24
FFRI,Inc. Challenges Ⅱ ANTI-ANTI-SANDBOX ARMING 25
FFRI,Inc. Taxonomy of anti-sandbox techniques • Anti-‐‑‒sandbox maneuver – Stalling code [3] – Environment awareness [4][5] • Using result of sandbox detection – (User interaction checks) • Sandbox (debug/sandbox/vm) detection – Artifact fingerprinting[5][6] – Execution incongruousness[7][8] – Platform stimulation[9][10] 26
FFRI,Inc. Stalling code • Evasive malware[2] often uses – A sandbox limits malware execution time • Stalling code detection and avoiding techniques already proposed[3] 27 unsigned count, t; void helper() { t = GetTickCount(); t++; t++; t = GetTickCount(); } void delay() { count=0x1; do { helper(); // equal nop count++; } while (count!=0xe4e1c1); } Stalling code in W32.DelfInj [3]
FFRI,Inc. Environment awareness • Checking host environments • If malware runs decoy routine then it detects analyzerʼ’s sign – Malicious behavior never executed 28 Initialization (unpack) Sandbox(incl. VM) Detection Malicious routine Decoy routine If running on an analyzing environment
FFRI,Inc. Sandbox (debug/sandbox/vm) detection 29 Host Environment aware Malware VM related Artifacts Sandbox specific Artifacts VMM? Hardware Execution Incongruousness Platform Stimulation Artifact Fingerprinting
FFRI,Inc. Artifact Fingerprinting • Sandbox/VM related processes – Like vmware, virtualbox etc. • Sandbox/VM environment specific files • Sandbox/VM environment specific registry keys • Sandbox/VM environment specific devices and its attributes – ex). QEMU HDD vendor name • Sandbox/VM Specific I/O port – VMWare backdoor port is most famous artifact in malware 30
FFRI,Inc. Execution Incongruousness • Using clock count differential – Traditional anti-‐‑‒debug technique • Redpill[8] – Using LDT/GDT and IDT incongruousness 31 Comparing two TSC differentials
FFRI,Inc. Platform stimulation • Using virtual machine implementation differentials – Like CPUID instruction result – Interesting research here: Cardinal Pill Testing[9] 32
FFRI,Inc. Our solution: Anti-anti-sandbox arming • Hiding an artifact using API proxies • Stalling code detection and evasion(future work) – Following prior works • Faithful CPU emulation(future work) – Following prior works and showing GUTS 33 API Proxies End-user’s Host Malware Dummy Information Environmental Artifacts Analyzing Environment Sensitive Information Environmental Artifacts
FFRI,Inc. IMPLEMENTATION 34
FFRI,Inc. Sweetspot Overview 35 • Sweetspot have two sandbox, Freeze-‐‑‒drying Sandbox and Defroster Sandbox • Sandboxes are based on IA-‐‑‒32 CPU emulator Target’ Process Memory Context ’ Runtime Libraries (Virtualized) Execution Context ’ FILE’ HEAP’ Host B Migration Execution Context user-space kernel-space Target Process Memory Context Runtime Libraries (Virtualized) FILE HEAP Host A Runtime Libraries Freeze-dryer Sandbox user-space kernel-space Runtime Libraries Defroster Sandbox
FFRI,Inc. IA-32 CPU emulator-based sandbox • We have already CPU Emulator-‐‑‒based sandbox for win32 execution (in-‐‑‒house use) – Like IDA Bochs PE operation mode[11] 36 Target Program (loaded) Decode Execution CPU Emulator Instruction Fetch Address Resolution Applying Execution Result
FFRI,Inc. IA-32 CPU Emulator: Virtual contexts 37 Virtual Process Contexts Virtual Module(DLL) Contexts Virtual Resources (handle) Contexts Virtual Heap Contexts CPU Emulator Process Data Code Target Process Virtual CPU Contexts Target Process’s VA Space contexts DLLs Headers
FFRI,Inc. IA-32 CPU Emulator: API emulation 38 Virtual advapi32.dll Functions CPU Emulator Process kernel32.dl l user32.dl l advapi32.dl l msvcrt.dl l Target Process API Emulation Components DLLs … Virtual kernel32 Functions Virtual user32.dll Functions Virtual msvcrt.dll Functions Virtualized Resource Manager
FFRI,Inc. IA-32 CPU Emulator: Virtual resource handling • File system is almost virtualized • Registry hive is almost virtualized • GUI components and user interaction function is virtualized partially • media components is not virtualized(squashing request) 39
FFRI,Inc. Sweetspot: Malware Live Capturing System • Freeze-‐‑‒dryer Process Memory Image Freeze-dryer Sandbox Process Memory Image Defroster Sandbox – Serializing process contexts and execution file if detected suspend trigger – All malware activity sealed in the sandbox • Defroster – Restoring execution context – Address reconstruction – API-‐‑‒proxies for faking an artifacts 40 FILE HEAP Packed process contexts FILE HEAP
FFRI,Inc. Freeze-dryer • End-‐‑‒user can use like an anti-‐‑‒virusʼ’s file scanner • Freeze dryer serialize process context if detects anti-‐‑‒sandbox behavior occurred – Dumping all VA space anyway • Using msgpack[12] library for serialization 41
FFRI,Inc. Defined suspend trigger (Work in progress) • Specific API-‐‑‒call – GetVolumeNameForVolumeMountPoint() – GetVolumeInformation() • Specific API-‐‑‒call and its arguments – Searching vm-‐‑‒related artifacts • Virtual file system and virtual registry hive except finding sandbox artifacts • Detecting stalling code(WiP) 42
FFRI,Inc. Defroster – Execution replaying 1. Unpacking process contexts(incl. execution file) – Allocating sandboxʼ’s heap 2. Loading execution file before entry point 3. Restoring current process context from unpacked contexts – Remapping address in unpacked process contexts • Covering all virtual address space 43
FFRI,Inc. Demo: Process migrated! 44
FFRI,Inc. API Proxies • Malware can access specified directories on Defroster – Like %APPDATA% • API Proxies enable to provide arbitrarily resources for malware 45 (fake) FILE A user-space kernel-space Host B Malware Runtime Libraries faking Defroster (Real) FILE B API Proxy can injection (Real) Process can access
FFRI,Inc. Anti anti sandbox arming using API Proxies • Defroster performs play innocent with sandbox/vm related artifacts – No vm-‐‑‒related artifact exist in sandboxʼ’s virtual file system and virtual registry hive • For faking an artifacts – Fake artifacts mounting virtual file system before malware resuming 46
FFRI,Inc. Limitations • The original CPU emulator supports a limited API – ex). Cannot CreateProcess and CreateThread • The original CPU emulator supports a limited CPU instruction – ex). Cannot complete emulation with SSE instruction • Anti-‐‑‒anti sandbox implementation is not enough • API Proxies not supported Network API(winsock2) yet 47
FFRI,Inc. Demonstrations • Simple program (incl. heap and handle migration) • Anti-‐‑‒anti-‐‑‒sandbox PoC • (Real environment-‐‑‒sensitive malware) 48
FFRI,Inc. Future work • Improving anti-‐‑‒sandbox detection and anti anti-‐‑‒sandbox – Stalling code detection and evasion – More faithful CPU/API emulation • Improving API proxies utility • Defroster-‐‑‒based stealth debugger 49
FFRI,Inc. Conclusions • This is proof of concept of live malware capturing using process migration with CPU emulator-‐‑‒based sandbox • We introduced anti-‐‑‒sandbox taxonomy and proposed API-‐‑‒proxy based countering approach 50
FFRI,Inc. References • [1]: Analyzing Environment-Aware Malware, Lastline, 2014.05.25(viewed) http://labs.lastline.com/analyzing-environment-aware-malware-a-look-at-zeus-trojan-variant-called-citadel-evading-traditional-sandboxes • [2]: Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. 2011. Detecting environment-sensitive malware. In Proceedings of the 14th international conference on Recent Advances in Intrusion Detection (RAID'11). Springer-Verlag, Berlin, Heidelberg, 338-357. • [3]: lemens Kolbitsch, Engin Kirda, and Christopher Kruegel. 2011. The power of procrastination: detection and mitigation of execution-stalling malicious code. In Proceedings of the 18th ACM conference on Computer and communications security (CCS '11). ACM, New York, NY, USA, 285-296. • [4]: Min Gyung Kang, Heng Yin, Steve Hanna, Stephen McCamant, and Dawn Song. 2009. Emulating emulation-resistant malware. In Proceedings of the 1st ACM workshop on Virtual machine security (VMSec '09). ACM, New York, NY, USA, 11-22. • [5]: Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. Barecloud: bare-metal analysis-based evasive malware detection. In Proceedings of the 23rd USENIX conference on Security Symposium (SEC'14). USENIX Association, Berkeley, CA, USA, 287-301. • [6]: Ulrich Bayer, Imam Habibi, Davide Balzarotti, Engin Kirda, and Christopher Kruegel. 2009. A view on current malware behaviors. In Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more (LEET'09). USENIX Association, Berkeley, CA, USA, 8-8. • [7]: Aurélien Wailly. Malware vs Virtualization The endless cat and mouse play, 2014.05.25(viewed) http://aurelien.wail.ly/publications/hip-2013-slides.html • [8]: Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. Testing CPU emulators. In Proceedings of the eighteenth international symposium on Software testing and analysis (ISSTA '09). ACM, New York, NY, USA, 261-272. • [9]: Hao Shi, Abdulla Alwabel and Jelena Mirkovic. 2014. Cardinal Pill Testing of System Virtual Machines. In Proceedings of the 23rd USENIX conference on Security Symposium (SEC'14). USENIX Association, Berkeley, CA, USA,271-285. • [10]: Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2010. Testing system virtual machines. In Proceedings of the 19th international symposium on Software testing and analysis (ISSTA '10). ACM, New York, NY, USA, 171-182. • [11]: IDA Boch PE operation mode https://www.hex-rays.com/products/ida/support/idadoc/1332.shtml • [12]: MessagePack, 2014/09/28(viewed) http://msgpack.org/ 51
FFRI,Inc. 52 Thank you ! FFRI, Inc. http://www.ffri.jp Yosuke Chubachi chubachi@ffri.jp

Recommended

TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
FFRI, Inc.
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
E Hacking
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
Aj MaChInE
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
enSilo
 
When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4
月锋 李
 
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
gree_tech
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CanSecWest
 

Recommended

TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
FFRI, Inc.
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
E Hacking
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
Aj MaChInE
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
enSilo
 
When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4
月锋 李
 
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
gree_tech
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CanSecWest
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
zeroSteiner
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatility
Yashashree Gund
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
Dimitry Snezhkov
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
Andrew Case
 
Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel Bugs
Jiahong Fang
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat Security Conference
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CanSecWest
 
LISA2010 visualizations
LISA2010 visualizationsLISA2010 visualizations
LISA2010 visualizations
Brendan Gregg
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr Brown
zeroSteiner
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
Andrew Case
 
Libpcap
LibpcapLibpcap
Libpcap
liu qiang
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
zeroSteiner
 
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
The Linux Foundation
 
Kernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologiesKernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologies
Anne Nicolas
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
Brendan Gregg
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshop
Lubomir Rintel
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
Develer S.r.l.
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat Security Conference
 
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesUS-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
Abhishek Singh
 
Mr201309 automated on-execute_test_using_virtual_box_eng
Mr201309 automated on-execute_test_using_virtual_box_engMr201309 automated on-execute_test_using_virtual_box_eng
Mr201309 automated on-execute_test_using_virtual_box_eng
FFRI, Inc.
 

More Related Content

What's hot

Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatility
Yashashree Gund
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat Security Conference
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CanSecWest
 
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
The Linux Foundation
 
Kernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologiesKernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologies
Anne Nicolas
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat Security Conference
 

What's hot (20)

Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatility
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel Bugs
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiled
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
 
LISA2010 visualizations
LISA2010 visualizationsLISA2010 visualizations
LISA2010 visualizations
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr Brown
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
Libpcap
LibpcapLibpcap
Libpcap
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
 
Kernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologiesKernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologies
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshop
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without device
 

Similar to Freeze Drying for Capturing Environment-Sensitive Malware Alive

US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesUS-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
Abhishek Singh
 
Mr201309 automated on-execute_test_using_virtual_box_eng
Mr201309 automated on-execute_test_using_virtual_box_engMr201309 automated on-execute_test_using_virtual_box_eng
Mr201309 automated on-execute_test_using_virtual_box_eng
FFRI, Inc.
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
Priyanka Aash
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
briancrawford30935
 

Similar to Freeze Drying for Capturing Environment-Sensitive Malware Alive (20)

US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesUS-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
 
Mr201309 automated on-execute_test_using_virtual_box_eng
Mr201309 automated on-execute_test_using_virtual_box_engMr201309 automated on-execute_test_using_virtual_box_eng
Mr201309 automated on-execute_test_using_virtual_box_eng
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
2018 02 20-jeg_index
2018 02 20-jeg_index2018 02 20-jeg_index
2018 02 20-jeg_index
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroud
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
MR201405 A Survey of Environment Sensitive Malware
MR201405 A Survey of Environment Sensitive MalwareMR201405 A Survey of Environment Sensitive Malware
MR201405 A Survey of Environment Sensitive Malware
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
BonFIRE: features, sites and tools
BonFIRE: features, sites and toolsBonFIRE: features, sites and tools
BonFIRE: features, sites and tools
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxing
 

More from FFRI, Inc.

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
FFRI, Inc.
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
FFRI, Inc.
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
FFRI, Inc.
 

More from FFRI, Inc. (20)

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Freeze Drying for Capturing Environment-Sensitive Malware Alive

  • 1. FFRI,Inc. 1 Black Hat Europe 2014 Freeze Drying for Capturing Environment-Sensitive Malware Alive FFRI, Inc. http://www.ffri.jp Yosuke Chubachi Ver 2.00.01
  • 2. FFRI,Inc. Contents • Background • Idea – Malware migration system for capturing malware alive • Challenges – Process migration – Anti-‐‑‒anti-‐‑‒sandbox arming • Implementation – Overview – IA32 CPU Emulator – Process migration using process-‐‑‒level sandbox – API Proxies for faking an artifact • Conclusions 2
  • 3. FFRI,Inc. Background • Sophisticated malware arms many anti-‐‑‒ analyze techniques • using targeted attacks, cyber espionages, banking malware • First, we need protection • Second, we are curious about true intention 3
  • 4. FFRI,Inc. Case study: Citadel • Some citadel detects the execution environment and do not engage in malicious behavior when the current host differs from the infected host[1] – To avoid behavior-‐‑‒based malware detection(like sandbox analysis) • Showing 2 examples – Host-‐‑‒fingerprinting – VM/Sandbox detection 4
  • 5. FFRI,Inc. Host-fingerprinting • Embedding infected hostʼ’s unique value into execution binary 5 Citadel Unpacker Malicious code Self-rewriting when original malware execution Environment-sensitive Citade l Unpacker Malicious code with host unique value Different signature pattern
  • 6. FFRI,Inc. Host-fingerprinting(cont’d) • Getting GUID on system drive using the GetVolumeNameForVolumeMountPoint() • Comparing running hostʼ’s GUID value and embedded infected hostʼ’s value • Process executes malicious code if GUID values are consistent 6 Infected host’s GUID(packed) Unpacked GUID Format: {XXXXXXXX-XXXX-XXXX-XXXXXXXX} Unpack Environment-sensitive Citade l Unpacker Malicious code with host unique value
  • 7. FFRI,Inc. VM/Sandbox detection • Checking processʼ’s product name – like ”*vmware*”, ”*virtualbox” • Scanning specific files and devices – C:popupkiller.exe – C:stimulator.exe – C:TOOLSexecute.exe – .NPF_̲NdisWanIp – .HGFS – .vmci – .VBoxGuest 7
  • 8. FFRI,Inc. Citadel behavior of host/environment inconsistency • For example: – Process termination – Running fake(or harmless) code 8
  • 9. FFRI,Inc. Citadel runtime activities 9 Initialization Scouting Malicious Behavior Memory Persistent unpack storage Environment-awareness Network Host fingerprinting Malicious code execution Code injection Connecting CC server Unauthorized Access
  • 10. FFRI,Inc. • I assume that scouting code carry out before main malicious routine 10 Initialization (unpack) Anti-analyzing malicious routine Not really matter A serious matter
  • 11. FFRI,Inc. Idea • Security analyst or incident handler concentrate malicious activity observation if he migrate malware process from infected host to analyzing environment( or honeypot) when anti-‐‑‒analyzing behavior 11 Malware Malware End-user’s Host Analyzing Environment migration
  • 12. FFRI,Inc. Use Case Ⅰ: Malware live capturing • End-‐‑‒users execute suspicious executable files anyway • Capturing system will suspend program if to detect anti-‐‑‒analyzing behavior • Malware analysts may observe to concentrate malicious activities 12 Initialization Anti-analyzing malicious routine End-user’s Host Analyzing Environment
  • 13. FFRI,Inc. Use Case Ⅱ: Honeypot • Faking an artifact of the target host – To deceive cyber espionage malware 13 Brokering Resource Request End-user’s Host Malware Dummy Information Environmental Artifacts Analyzing Environment Sensitive Information Environmental Artifacts
  • 14. FFRI,Inc. Challenges Ⅰ PROCESS MIGRATION 14
  • 15. FFRI,Inc. Challenges 1. Process migration is very difficult (well-‐‑‒known) – Needs to migrate execution contexts, memory contexts, persistent contexts and related kernel objects – Environment sensitivity 15 user-space kernel-space Host A Target Process Runtime Libraries Runtime’ Libraries’ Host B FILE HEAP SOCK Target Process’ Memory Context ’ Execution Context ’ Memory Context Execution Context Kernel Objects Entities FILE? HEAP? SOCK? Migration
  • 16. FFRI,Inc. Off-topic: Virtual Machine migration • VM migration is a practical way of process migration between hosts 16 Target Process Host on VM Target Process Host on VM VMM(Host A ) VMM(Host B )
  • 17. FFRI,Inc. VM migration is too much larger • Too many resources are migrated for malware analyzing • VM solution forces additional system to end-‐‑‒ users and employer – Increasing complexity, Maintainability and cost 17
  • 18. FFRI,Inc. Our solution: Using process-level sandbox • CPU emulator-‐‑‒based sandbox is convenient for process migration – Grubbed all contexts – User-‐‑‒mode emulator virtualize process related kernel objects 18
  • 19. FFRI,Inc. CPU emulator-based sandbox 19 Target Process Memory Context Execution Context Runtime Libraries FILE HEAP user-space kernel-space Kernel Objects Entities Bare-metal Host Execution Context user-space kernel-space Target Process Memory Context Runtime Libraries (Virtualized) Runtime Libraries FILE HEAP Sandbox Kernel Objects Entities (virtualized) Bare-metal Host
  • 20. FFRI,Inc. Process migration using CPU emulator-based sandbox 20 Target’ Process Memory Context ’ FILE’ HEAP’ Host B Migration user-space kernel-space Target Process Memory Context Runtime Libraries (Virtualized) FILE HEAP Host A Runtime Libraries Sandbox Kernel Objects Entities (virtualized) Execution Context user-space kernel-space Runtime Libraries Sandbox Runtime Libraries (Virtualized) Execution Context ’
  • 21. FFRI,Inc. Malware freeze-drying • Sandbox suspends target program when a trigger event occurred • A suspended trigger is anti-‐‑‒analyzing behavior[2] 21 user-space kernel-space Target Process Memory Context Runtime Libraries (Virtualized) Runtime Libraries FILE HEAP Sandbox Kernel Objects Entities (virtualized) Execution Context Serialize Packed Living Malware
  • 22. FFRI,Inc. Live malware defrosting • Sandbox resumed packed living malware • Reconstructing address gaps 22 user-space kernel-space Living Malware Memory Context Runtime Libraries Runtime Libraries FILE HEAP Sandbox Kernel Objects Entities Execution Context De-serialize Packed Living Malware
  • 23. FFRI,Inc. But… • Migrated malware will probably executes anti-‐‑‒analyzing(anti-‐‑‒sandbox) continuously • The system needs anti-‐‑‒anti-‐‑‒sandbox arming 23
  • 24. FFRI,Inc. Challenges(updated) 1. Process migration is very difficult →Using CPU emulator-‐‑‒based sandbox 2. Arming against anti-‐‑‒sandbox 24
  • 25. FFRI,Inc. Challenges Ⅱ ANTI-ANTI-SANDBOX ARMING 25
  • 26. FFRI,Inc. Taxonomy of anti-sandbox techniques • Anti-‐‑‒sandbox maneuver – Stalling code [3] – Environment awareness [4][5] • Using result of sandbox detection – (User interaction checks) • Sandbox (debug/sandbox/vm) detection – Artifact fingerprinting[5][6] – Execution incongruousness[7][8] – Platform stimulation[9][10] 26
  • 27. FFRI,Inc. Stalling code • Evasive malware[2] often uses – A sandbox limits malware execution time • Stalling code detection and avoiding techniques already proposed[3] 27 unsigned count, t; void helper() { t = GetTickCount(); t++; t++; t = GetTickCount(); } void delay() { count=0x1; do { helper(); // equal nop count++; } while (count!=0xe4e1c1); } Stalling code in W32.DelfInj [3]
  • 28. FFRI,Inc. Environment awareness • Checking host environments • If malware runs decoy routine then it detects analyzerʼ’s sign – Malicious behavior never executed 28 Initialization (unpack) Sandbox(incl. VM) Detection Malicious routine Decoy routine If running on an analyzing environment
  • 29. FFRI,Inc. Sandbox (debug/sandbox/vm) detection 29 Host Environment aware Malware VM related Artifacts Sandbox specific Artifacts VMM? Hardware Execution Incongruousness Platform Stimulation Artifact Fingerprinting
  • 30. FFRI,Inc. Artifact Fingerprinting • Sandbox/VM related processes – Like vmware, virtualbox etc. • Sandbox/VM environment specific files • Sandbox/VM environment specific registry keys • Sandbox/VM environment specific devices and its attributes – ex). QEMU HDD vendor name • Sandbox/VM Specific I/O port – VMWare backdoor port is most famous artifact in malware 30
  • 31. FFRI,Inc. Execution Incongruousness • Using clock count differential – Traditional anti-‐‑‒debug technique • Redpill[8] – Using LDT/GDT and IDT incongruousness 31 Comparing two TSC differentials
  • 32. FFRI,Inc. Platform stimulation • Using virtual machine implementation differentials – Like CPUID instruction result – Interesting research here: Cardinal Pill Testing[9] 32
  • 33. FFRI,Inc. Our solution: Anti-anti-sandbox arming • Hiding an artifact using API proxies • Stalling code detection and evasion(future work) – Following prior works • Faithful CPU emulation(future work) – Following prior works and showing GUTS 33 API Proxies End-user’s Host Malware Dummy Information Environmental Artifacts Analyzing Environment Sensitive Information Environmental Artifacts
  • 35. FFRI,Inc. Sweetspot Overview 35 • Sweetspot have two sandbox, Freeze-‐‑‒drying Sandbox and Defroster Sandbox • Sandboxes are based on IA-‐‑‒32 CPU emulator Target’ Process Memory Context ’ Runtime Libraries (Virtualized) Execution Context ’ FILE’ HEAP’ Host B Migration Execution Context user-space kernel-space Target Process Memory Context Runtime Libraries (Virtualized) FILE HEAP Host A Runtime Libraries Freeze-dryer Sandbox user-space kernel-space Runtime Libraries Defroster Sandbox
  • 36. FFRI,Inc. IA-32 CPU emulator-based sandbox • We have already CPU Emulator-‐‑‒based sandbox for win32 execution (in-‐‑‒house use) – Like IDA Bochs PE operation mode[11] 36 Target Program (loaded) Decode Execution CPU Emulator Instruction Fetch Address Resolution Applying Execution Result
  • 37. FFRI,Inc. IA-32 CPU Emulator: Virtual contexts 37 Virtual Process Contexts Virtual Module(DLL) Contexts Virtual Resources (handle) Contexts Virtual Heap Contexts CPU Emulator Process Data Code Target Process Virtual CPU Contexts Target Process’s VA Space contexts DLLs Headers
  • 38. FFRI,Inc. IA-32 CPU Emulator: API emulation 38 Virtual advapi32.dll Functions CPU Emulator Process kernel32.dl l user32.dl l advapi32.dl l msvcrt.dl l Target Process API Emulation Components DLLs … Virtual kernel32 Functions Virtual user32.dll Functions Virtual msvcrt.dll Functions Virtualized Resource Manager
  • 39. FFRI,Inc. IA-32 CPU Emulator: Virtual resource handling • File system is almost virtualized • Registry hive is almost virtualized • GUI components and user interaction function is virtualized partially • media components is not virtualized(squashing request) 39
  • 40. FFRI,Inc. Sweetspot: Malware Live Capturing System • Freeze-‐‑‒dryer Process Memory Image Freeze-dryer Sandbox Process Memory Image Defroster Sandbox – Serializing process contexts and execution file if detected suspend trigger – All malware activity sealed in the sandbox • Defroster – Restoring execution context – Address reconstruction – API-‐‑‒proxies for faking an artifacts 40 FILE HEAP Packed process contexts FILE HEAP
  • 41. FFRI,Inc. Freeze-dryer • End-‐‑‒user can use like an anti-‐‑‒virusʼ’s file scanner • Freeze dryer serialize process context if detects anti-‐‑‒sandbox behavior occurred – Dumping all VA space anyway • Using msgpack[12] library for serialization 41
  • 42. FFRI,Inc. Defined suspend trigger (Work in progress) • Specific API-‐‑‒call – GetVolumeNameForVolumeMountPoint() – GetVolumeInformation() • Specific API-‐‑‒call and its arguments – Searching vm-‐‑‒related artifacts • Virtual file system and virtual registry hive except finding sandbox artifacts • Detecting stalling code(WiP) 42
  • 43. FFRI,Inc. Defroster – Execution replaying 1. Unpacking process contexts(incl. execution file) – Allocating sandboxʼ’s heap 2. Loading execution file before entry point 3. Restoring current process context from unpacked contexts – Remapping address in unpacked process contexts • Covering all virtual address space 43
  • 44. FFRI,Inc. Demo: Process migrated! 44
  • 45. FFRI,Inc. API Proxies • Malware can access specified directories on Defroster – Like %APPDATA% • API Proxies enable to provide arbitrarily resources for malware 45 (fake) FILE A user-space kernel-space Host B Malware Runtime Libraries faking Defroster (Real) FILE B API Proxy can injection (Real) Process can access
  • 46. FFRI,Inc. Anti anti sandbox arming using API Proxies • Defroster performs play innocent with sandbox/vm related artifacts – No vm-‐‑‒related artifact exist in sandboxʼ’s virtual file system and virtual registry hive • For faking an artifacts – Fake artifacts mounting virtual file system before malware resuming 46
  • 47. FFRI,Inc. Limitations • The original CPU emulator supports a limited API – ex). Cannot CreateProcess and CreateThread • The original CPU emulator supports a limited CPU instruction – ex). Cannot complete emulation with SSE instruction • Anti-‐‑‒anti sandbox implementation is not enough • API Proxies not supported Network API(winsock2) yet 47
  • 48. FFRI,Inc. Demonstrations • Simple program (incl. heap and handle migration) • Anti-‐‑‒anti-‐‑‒sandbox PoC • (Real environment-‐‑‒sensitive malware) 48
  • 49. FFRI,Inc. Future work • Improving anti-‐‑‒sandbox detection and anti anti-‐‑‒sandbox – Stalling code detection and evasion – More faithful CPU/API emulation • Improving API proxies utility • Defroster-‐‑‒based stealth debugger 49
  • 50. FFRI,Inc. Conclusions • This is proof of concept of live malware capturing using process migration with CPU emulator-‐‑‒based sandbox • We introduced anti-‐‑‒sandbox taxonomy and proposed API-‐‑‒proxy based countering approach 50
  • 51. FFRI,Inc. References • [1]: Analyzing Environment-Aware Malware, Lastline, 2014.05.25(viewed) http://labs.lastline.com/analyzing-environment-aware-malware-a-look-at-zeus-trojan-variant-called-citadel-evading-traditional-sandboxes • [2]: Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. 2011. Detecting environment-sensitive malware. In Proceedings of the 14th international conference on Recent Advances in Intrusion Detection (RAID'11). Springer-Verlag, Berlin, Heidelberg, 338-357. • [3]: lemens Kolbitsch, Engin Kirda, and Christopher Kruegel. 2011. The power of procrastination: detection and mitigation of execution-stalling malicious code. In Proceedings of the 18th ACM conference on Computer and communications security (CCS '11). ACM, New York, NY, USA, 285-296. • [4]: Min Gyung Kang, Heng Yin, Steve Hanna, Stephen McCamant, and Dawn Song. 2009. Emulating emulation-resistant malware. In Proceedings of the 1st ACM workshop on Virtual machine security (VMSec '09). ACM, New York, NY, USA, 11-22. • [5]: Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. Barecloud: bare-metal analysis-based evasive malware detection. In Proceedings of the 23rd USENIX conference on Security Symposium (SEC'14). USENIX Association, Berkeley, CA, USA, 287-301. • [6]: Ulrich Bayer, Imam Habibi, Davide Balzarotti, Engin Kirda, and Christopher Kruegel. 2009. A view on current malware behaviors. In Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more (LEET'09). USENIX Association, Berkeley, CA, USA, 8-8. • [7]: Aurélien Wailly. Malware vs Virtualization The endless cat and mouse play, 2014.05.25(viewed) http://aurelien.wail.ly/publications/hip-2013-slides.html • [8]: Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. Testing CPU emulators. In Proceedings of the eighteenth international symposium on Software testing and analysis (ISSTA '09). ACM, New York, NY, USA, 261-272. • [9]: Hao Shi, Abdulla Alwabel and Jelena Mirkovic. 2014. Cardinal Pill Testing of System Virtual Machines. In Proceedings of the 23rd USENIX conference on Security Symposium (SEC'14). USENIX Association, Berkeley, CA, USA,271-285. • [10]: Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2010. Testing system virtual machines. In Proceedings of the 19th international symposium on Software testing and analysis (ISSTA '10). ACM, New York, NY, USA, 171-182. • [11]: IDA Boch PE operation mode https://www.hex-rays.com/products/ida/support/idadoc/1332.shtml • [12]: MessagePack, 2014/09/28(viewed) http://msgpack.org/ 51
  • 52. FFRI,Inc. 52 Thank you ! FFRI, Inc. http://www.ffri.jp Yosuke Chubachi chubachi@ffri.jp