SlideShare a Scribd company logo

One Flaw over the Cuckoo's Nest

Iñaki Rodríguez
Iñaki Rodríguez

Talk about how could be possible to improve Cuckoo integrating instrumentalization tools like PIN (Intel) and evade some anti-vm malware.

Technology
1 of 71
Download to read offline
One FlAw over the Cuckoo’s Nest I˜naki Rodr´ıguez-Gast´on†, Ricardo J. Rodr´ıguez‡ « All wrongs reversed inaki@sensepost.com, rjrodriguez@fi.upm.es @virtualminds es ※ @RicardoJRdez †SensePost ‡Universidad Polit´ecnica de Madrid London, UK Madrid, Spain 1 de Noviembre, 2013 No cON Name 2013 Barcelona (Espa˜na)
$whoarewe $whoarewe: command not found CLS member (2001) Ph.D. by UZ (2013) Working for UPM Trainee @ NcN, RootedCON, HIP Speaker @ NcN, HackLU, RootedCON, STIC CCN, HIP CISSP, CEH, GWAPT Security analyst @ SensePost Malware lover mlw.re staff Trainee @ 44CON . . . I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 2 / 39
Agenda Outline 1 Motivation 2 Previous Concepts Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework 3 On the Anti-VMs & Anti-Sandboxing Techniques VM Detection Sandboxing detection 4 Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Introducing PinVMShield 5 Case Study: the pafish tool 6 Related Work 7 Conclusions and Future Work I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 3 / 39
Motivation Outline 1 Motivation 2 Previous Concepts Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework 3 On the Anti-VMs & Anti-Sandboxing Techniques VM Detection Sandboxing detection 4 Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Introducing PinVMShield 5 Case Study: the pafish tool 6 Related Work 7 Conclusions and Future Work I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 4 / 39
Motivation Motivation (I) Malware are increasing in number and complexity Targeted attacks also grown (specially industry and government espionage) How do we currently fight against malware? Firstly, to understand how a sample works (what is it doing?) Then, to figure out how it can be removed Lastly, to avoid future infections (can we detect it again?) I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 5 / 39
Motivation Motivation (II) Figuring out what it is doing. . . Manual analysis Intensive Time-consuming I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 6 / 39
Motivation Motivation (II) Figuring out what it is doing. . . Manual analysis Intensive Time-consuming Good if you are paid per working hour ¨⌣ Automatic analysis Just take a seat, and relax. . . Real problem here: automation of malware analysis tasks I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 6 / 39
Motivation Motivation (II) Figuring out what it is doing. . . Manual analysis Intensive Time-consuming Good if you are paid per working hour ¨⌣ Automatic analysis Just take a seat, and relax. . . Real problem here: automation of malware analysis tasks Only manual analysis for weird (or interesting) samples I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 6 / 39
Motivation Motivation (III) Sandbox Environments Computer resources are tightly controlled and monitored Current trending of malware analysis Commercial and free-license solutions Sandboxie JoeBox CWSandbox Cuckoo Sandbox PyBox Virtual Machine and Sandbox: a good combination I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 7 / 39
Motivation Motivation (III) Sandbox Environments Computer resources are tightly controlled and monitored Current trending of malware analysis Commercial and free-license solutions Sandboxie JoeBox CWSandbox Cuckoo Sandbox PyBox Virtual Machine and Sandbox: a good combination Do malware samples detect VMs/sandbox environments? I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 7 / 39
Motivation Motivation (III) Sandbox Environments Computer resources are tightly controlled and monitored Current trending of malware analysis Commercial and free-license solutions Sandboxie JoeBox CWSandbox Cuckoo Sandbox PyBox Virtual Machine and Sandbox: a good combination Do malware samples detect VMs/sandbox environments? Yes, they do. I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 7 / 39
Motivation Motivation (IV) Can we avoid the detection of a VMs/sandbox environment? I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 8 / 39
Motivation Motivation (IV) Can we avoid the detection of a VMs/sandbox environment? Yes, we can! (at least, we should try. . . ) I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 8 / 39
Motivation Motivation (IV) Can we avoid the detection of a VMs/sandbox environment? Yes, we can! (at least, we should try. . . ) We’re gonna do it in a fancy way. . . using Dynamic Binary Instrumentation ⌣¨ Dynamic Binary Instrumentation (DBI) Analyse the runtime behaviour of a binary Executes arbitrary code during normal execution of a binary I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 8 / 39
Motivation Motivation (V) Why DBI? Its advantages Binary instrumentation: advantages Programming language (totally) independent Machine-mode vision We can instrument proprietary software I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 9 / 39
Motivation Motivation (V) Why DBI? Its advantages Binary instrumentation: advantages Programming language (totally) independent Machine-mode vision We can instrument proprietary software Dynamic Instrumentation: advantages No need to recompile/relink each time Allow to find on-the-fly code Dynamically generated code Allow to instrument a process in execution already (attach) I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 9 / 39
Motivation Motivation (VI) Why DBI? Its disadvantages Main disadvantages Overhead (by the instrumentation during execution) + performance (analyst hopelessness!) Single execution path analysed I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 10 / 39
Motivation Motivation (VII) Summary of contributions Our goal in this work Develop a Dynamic Binary Analysis (DBA) tool Integrated with Cuckoo Sandbox I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 11 / 39
Motivation Motivation (VII) Summary of contributions Our goal in this work Develop a Dynamic Binary Analysis (DBA) tool Integrated with Cuckoo Sandbox Protects Cuckoo for being detected. . . I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 11 / 39
Motivation Motivation (VII) Summary of contributions Our goal in this work Develop a Dynamic Binary Analysis (DBA) tool Integrated with Cuckoo Sandbox Protects Cuckoo for being detected. . . . . . and also for (some) VMs detection I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 11 / 39
Previous Concepts Outline 1 Motivation 2 Previous Concepts Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework 3 On the Anti-VMs & Anti-Sandboxing Techniques VM Detection Sandboxing detection 4 Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Introducing PinVMShield 5 Case Study: the pafish tool 6 Related Work 7 Conclusions and Future Work I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 12 / 39
Previous Concepts Cuckoo Sandbox Cuckoo Sandbox (I) What is Cuckoo Sandbox? Automated malware analysis tool Written in Python Reporting system (API calls, registry access, network activity) Extensible OpenSource I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 13 / 39
Previous Concepts Cuckoo Sandbox Cuckoo Sandbox (II) Sample.exe (Suspended) cuckoo.py agent.py analyzer.py TCP socket (8000) Drop file submit.py web.py api.py packages (exe.py) .PIPErandom string Executes procces and injects cuckoomon.dll Cuckoomon.dll (Random name) Sample.exe API call resultserver Results from the analysis I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 14 / 39
Previous Concepts Dynamic Binary Instrumentation: The Pin Framework Dynamic Binary Instrumentation: The Pin Framework (I) http://www.pintools.org What is Pin? Framework designed by Intel Allows to build easy-to-use, portable, transparent and efficient instrumentation tools (DBA, or Pintools) Recall: instrumentation enables the execution of arbitrary code during run-time of a binary Extensive API for doing whatever you can imagine Used for things like: Instruction profiling Performance evaluation Bug detection And malware analysis (here we are ¨⌣) I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 15 / 39
Previous Concepts Dynamic Binary Instrumentation: The Pin Framework Dynamic Binary Instrumentation: The Pin Framework (II) How does Pin work? I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 16 / 39
On the Anti-VMs & Anti-Sandboxing Techniques Outline 1 Motivation 2 Previous Concepts Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework 3 On the Anti-VMs & Anti-Sandboxing Techniques VM Detection Sandboxing detection 4 Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Introducing PinVMShield 5 Case Study: the pafish tool 6 Related Work 7 Conclusions and Future Work I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 17 / 39
On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (I) How can an execution inside a VM be detected? I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 18 / 39
On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (I) How can an execution inside a VM be detected? Detection ways Seek VME artifacts in processes, system files and/or registry I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 18 / 39
On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (I) How can an execution inside a VM be detected? Detection ways Seek VME artifacts in processes, system files and/or registry Seek VME artifacts in memory I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 18 / 39
On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (I) How can an execution inside a VM be detected? Detection ways Seek VME artifacts in processes, system files and/or registry Seek VME artifacts in memory Seek specific features of virtualised hardware I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 18 / 39
On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (I) How can an execution inside a VM be detected? Detection ways Seek VME artifacts in processes, system files and/or registry Seek VME artifacts in memory Seek specific features of virtualised hardware Seek CPU instructions specific to VME I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 18 / 39
On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (II) Artifacts in processes, system files and/or registry Some examples VMWare “VMTools” service References in system files to “VMWare” and vmx References in the registry to “VMWare” VirtualBox VBoxService.exe process (“VirtualBoxGuestAdditions”) References in the registry to “VBox” MS Virtual PC vmsrvc.exe, vpcmap.exe, vmusrvc.exe processes References in the registry to “Virtual” I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 19 / 39
On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (III) Artifacts in memory The Red Pill Software developed by Joanna Rutkwoska, 2004 Uses the SIDT instruction (Store Interrupt Descriptor Table) VMWare: IDT in 0xFFxxxxxx VirtualPC: IDT in 0xE8xxxxxx In real machines: Windows (0x80FFFFFF), Linux (0xC0FFFFFF) Other options: GDT, LDT GDT, LDT also displaced in virtual environments Scoopy tool (http://www.trapkit.de) (IDT == 0xC0) || IDT == 0x80 GDT == 0xC0 LDT == 0x00 I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 20 / 39
On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (V) Specific features of virtualised hardware Specific virtualised hardware Network controller USBs controller Host controller . . . I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 21 / 39
On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (V) Specific features of virtualised hardware Specific virtualised hardware Network controller USBs controller Host controller . . . Seek specific “fingerprints” SCSI device type Network controller MAC Host controller type . . . I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 21 / 39
On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (V) Specific features of virtualised hardware Specific virtualised hardware Network controller USBs controller Host controller . . . Seek specific “fingerprints” SCSI device type Network controller MAC Host controller type . . . Doo tool (also seeks Class IDs in the registry) I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 21 / 39
On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (VI) CPU instructions specific to VME Some VMs add/use own instructions to communicate host/guest I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 22 / 39
On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (VI) CPU instructions specific to VME Some VMs add/use own instructions to communicate host/guest Seek host/guest communication channel I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 22 / 39
On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (VI) CPU instructions specific to VME Some VMs add/use own instructions to communicate host/guest Seek host/guest communication channel Jerry tool VMDetect tool I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 22 / 39
On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (VI) CPU instructions specific to VME Some VMs add/use own instructions to communicate host/guest Seek host/guest communication channel Jerry tool VMDetect tool Magic number. . . CONSTANT (WTF!) mov eax, 564D5868h ; “VMXh” mov ebx, 0 mov ecx, 0Ah mov edx, 5658 ; “VX” in eax, dx cmp ebx, 564D5868h I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 22 / 39
On the Anti-VMs & Anti-Sandboxing Techniques Sandboxing detection On the Anti-VMs & Anti-Sandboxing Techniques (VIII) Sandbox Binary execution in controlled environment Examples: Sandboxie, Norman Sandbox Analyser, Anubis, Cuckoo, WinJail. . . They have some common and recognisable issues: DLLs loaded Read of ProductID key Windows username (API GetUserName) Window handle (API FindWindow) I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 23 / 39
Mixing Cuckoo Sandbox and Pin DBI Outline 1 Motivation 2 Previous Concepts Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework 3 On the Anti-VMs & Anti-Sandboxing Techniques VM Detection Sandboxing detection 4 Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Introducing PinVMShield 5 Case Study: the pafish tool 6 Related Work 7 Conclusions and Future Work I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 24 / 39
Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Mixing Cuckoo Sandbox and Pin DBI (I) Every file has a package Best place for the integration: Attaching Pin to the suspended process Directly executing the sample with Pin Pin and cuckoomon together I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 25 / 39
Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Mixing Cuckoo Sandbox and Pin DBI (II) Attach to suspended process agent.py analyzer.py Drop file API call packages (exe.py) .PIPErandom string Executes procces and injects cuckoomon.dll PIN (Attach) Cuckoomon.dll (Random name) PIN Sample.exe Sample.exe (Suspended) Attach PIN to the sample I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 26 / 39
Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Mixing Cuckoo Sandbox and Pin DBI (III) Pin integrated into a package agent.py analyzer.py Drop file API call packages (exe.py) .PIPErandom string Executes procces and injects cuckoomon.dll PIN (Suspended) Cuckoomon.dll (Random name) PIN Sample.exe Sample.exe I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 27 / 39
Mixing Cuckoo Sandbox and Pin DBI Introducing PinVMShield Mixing Cuckoo Sandbox and Pin DBI (IV) Introducing PinVMShield (1) <<Interface>> Pin main(argc : int, argv[] : char*) : int Fini(code : INT32, *v : void) : void common logFilename : char* = "file.out" logFile : FILE* stristr(*s1 : char, *s2 : char) : *char printMessage(*msg : char) : void PinWrapperWinAPI PinVMShield #funcName[MAX_LENGTH_FUNCNAME] : char Image(img : IMG, *v : void) #isTryingToDetectVMs(*s : char) : bool #FindRTNByNameA(img : IMG) : RTN #FindRTNByNameW(img : IMG) : RTN #GetPrototypeFunctionA() : PROTO #GetPrototypeFunctionW() : PROTO #GetPrototypeFunction(*funcName : char) : PROTO #ReplaceFunctionSignature(rtn: RTN, proto: PROTO) : void vWinAPIs 0..* WrapperGetModuleHandle -myGetModuleHandle(orig: AFUNPTR, lpModuleName: LPCTSTR, *ctx: CONTEXT): HMODULE WrapperProcess32FirstAndNext -myProcess32FirstAndNext(orig: AFUNPTR, hSnapshot: HANDLE, *ctx: CONTEXT, lppe: LPPROCESSENTRY32) : bool I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 28 / 39
Mixing Cuckoo Sandbox and Pin DBI Introducing PinVMShield Mixing Cuckoo Sandbox and Pin DBI (...): our Tool Introducing PinVMShield (2) APIs fooled GetUserNameA/W GetUserNameExA/W RegQueryValueA/W RegQueryValueExA/W RegOpenKeyA/W RegOpenKeyExA/W GetModuleHandleA/W GetModuleHandleExA/W GetFileAttributesA/W Process32First / Process32Next FindWindowA/W FindWindowExA/W CreateFileA/W CreateNamedPipeA/W GetCursorPos Alpha version available for download: (soon) https://bitbucket.org/rjrodriguez/pinvmshield/ I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 29 / 39
Case Study: the pafish tool Outline 1 Motivation 2 Previous Concepts Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework 3 On the Anti-VMs & Anti-Sandboxing Techniques VM Detection Sandboxing detection 4 Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Introducing PinVMShield 5 Case Study: the pafish tool 6 Related Work 7 Conclusions and Future Work I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 30 / 39
Case Study: the pafish tool Case Study: the pafish tool (I) Tool that incorporates several detections for vms and sandboxing Developed by Alberto Ortega In v.0.2.5.1 (the one of case study): Generic Sandbox Sandboxie QEMU Wine VirtualBox VMWare I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 31 / 39
Case Study: the pafish tool Case Study: the pafish tool (I) Tool that incorporates several detections for vms and sandboxing Developed by Alberto Ortega In v.0.2.5.1 (the one of case study): Generic Sandbox Sandboxie QEMU Wine VirtualBox VMWare Do you wanna know more about the blue fish? I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 31 / 39
Case Study: the pafish tool Case Study: the pafish tool (I) Tool that incorporates several detections for vms and sandboxing Developed by Alberto Ortega In v.0.2.5.1 (the one of case study): Generic Sandbox Sandboxie QEMU Wine VirtualBox VMWare Do you wanna know more about the blue fish? ! attend Alberto’s session! (tomorrow afternoon) I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 31 / 39
Case Study: the pafish tool Case Study: the pafish tool (II) It’s demo time! I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 32 / 39
Related Work Outline 1 Motivation 2 Previous Concepts Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework 3 On the Anti-VMs & Anti-Sandboxing Techniques VM Detection Sandboxing detection 4 Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Introducing PinVMShield 5 Case Study: the pafish tool 6 Related Work 7 Conclusions and Future Work I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 33 / 39
Related Work Related Work (I) CWSandox Sandbox environment Three design criteria: automation, effectiveness and correctness Performs a dynamic analysis API hooking I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 34 / 39
Related Work Related Work (I) CWSandox Sandbox environment Three design criteria: automation, effectiveness and correctness Performs a dynamic analysis API hooking It is detected by sandbox detection techniques I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 34 / 39
Related Work Related Work (II) Sandbox + DBI Pin as DBI framework Own-created sandbox environment Two execution environments: Testing: binary execution is traced. Traces are checked against some security policies Real: binary execution is monitored avoiding harmful behaviours I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 35 / 39
Related Work Related Work (II) Sandbox + DBI Pin as DBI framework Own-created sandbox environment Two execution environments: Testing: binary execution is traced. Traces are checked against some security policies Real: binary execution is monitored avoiding harmful behaviours Our solution also monitors the execution but. . . I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 35 / 39
Related Work Related Work (II) Sandbox + DBI Pin as DBI framework Own-created sandbox environment Two execution environments: Testing: binary execution is traced. Traces are checked against some security policies Real: binary execution is monitored avoiding harmful behaviours Our solution also monitors the execution but. . . besides avoids sandbox detection! I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 35 / 39
Conclusions and Future Work Outline 1 Motivation 2 Previous Concepts Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework 3 On the Anti-VMs & Anti-Sandboxing Techniques VM Detection Sandboxing detection 4 Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Introducing PinVMShield 5 Case Study: the pafish tool 6 Related Work 7 Conclusions and Future Work I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 36 / 39
Conclusions and Future Work Conclusions and Future Work (I) PinVMShield Integrated with Cuckoo Sandbox I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 37 / 39
Conclusions and Future Work Conclusions and Future Work (I) PinVMShield Integrated with Cuckoo Sandbox X Avoids Cuckoo (and other) detections commonly realised by malware I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 37 / 39
Conclusions and Future Work Conclusions and Future Work (I) PinVMShield Integrated with Cuckoo Sandbox X Avoids Cuckoo (and other) detections commonly realised by malware X Not currently detected! ⌣¨ I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 37 / 39
Conclusions and Future Work Conclusions and Future Work (I) PinVMShield Integrated with Cuckoo Sandbox X Avoids Cuckoo (and other) detections commonly realised by malware X Not currently detected! ⌣¨ X Main drawback: runtime I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 37 / 39
Conclusions and Future Work Conclusions and Future Work (I) PinVMShield Integrated with Cuckoo Sandbox X Avoids Cuckoo (and other) detections commonly realised by malware X Not currently detected! ⌣¨ X Main drawback: runtime X Coding C++ is like a pain in the ass I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 37 / 39
Conclusions and Future Work Conclusions and Future Work (I) PinVMShield Integrated with Cuckoo Sandbox X Avoids Cuckoo (and other) detections commonly realised by malware X Not currently detected! ⌣¨ X Main drawback: runtime X Coding C++ is like a pain in the ass We do have more control on malware (binary) execution I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 37 / 39
Conclusions and Future Work Conclusions and Future Work (II) Future Work Find a logo Stand-alone app Improve anti-detection techniques (not only hooking. . . ) I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 38 / 39
Conclusions and Future Work Conclusions and Future Work (II) Future Work Find a logo Stand-alone app Improve anti-detection techniques (not only hooking. . . ) Replace (totally) cuckoomon.dll I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 38 / 39
Conclusions and Future Work Conclusions and Future Work (II) Future Work Find a logo Stand-alone app Improve anti-detection techniques (not only hooking. . . ) Replace (totally) cuckoomon.dll Add anti-DBI techniques I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 38 / 39
Conclusions and Future Work Conclusions and Future Work (II) Future Work Find a logo Stand-alone app Improve anti-detection techniques (not only hooking. . . ) Replace (totally) cuckoomon.dll Add anti-DBI techniques Test in real malware samples I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 38 / 39
Conclusions and Future Work Conclusions and Future Work (II) Future Work Find a logo Stand-alone app Improve anti-detection techniques (not only hooking. . . ) Replace (totally) cuckoomon.dll Add anti-DBI techniques Test in real malware samples Acknowledgments Alberto Ortega (pafish) NcN staff I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 38 / 39
One FlAw over the Cuckoo’s Nest I˜naki Rodr´ıguez-Gast´on†, Ricardo J. Rodr´ıguez‡ « All wrongs reversed inaki@sensepost.com, rjrodriguez@fi.upm.es @virtualminds es ※ @RicardoJRdez †SensePost ‡Universidad Polit´ecnica de Madrid London, UK Madrid, Spain 1 de Noviembre, 2013 No cON Name 2013 Barcelona (Espa˜na)

Recommended

Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
 
Pay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking BackPay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking Backx0rz x0rz
 
Some things about LAN device detection
Some things about LAN device detectionSome things about LAN device detection
Some things about LAN device detectionCanaan Kao
 
Using Pin++ to Author Highly Configurable Pintools for Pin
Using Pin++ to Author Highly Configurable Pintools for PinUsing Pin++ to Author Highly Configurable Pintools for Pin
Using Pin++ to Author Highly Configurable Pintools for PinJames Hill
 
Project report
Project reportProject report
Project reportArijit Roy
 
44Con Malware Workshop
44Con Malware Workshop44Con Malware Workshop
44Con Malware WorkshopIñaki Rodríguez
 
Authentication: keys, MAC
Authentication: keys, MACAuthentication: keys, MAC
Authentication: keys, MACShafaan Khaliq Bhatti
 

Recommended

Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
 
Pay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking BackPay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking Backx0rz x0rz
 
Some things about LAN device detection
Some things about LAN device detectionSome things about LAN device detection
Some things about LAN device detectionCanaan Kao
 
Using Pin++ to Author Highly Configurable Pintools for Pin
Using Pin++ to Author Highly Configurable Pintools for PinUsing Pin++ to Author Highly Configurable Pintools for Pin
Using Pin++ to Author Highly Configurable Pintools for PinJames Hill
 
Project report
Project reportProject report
Project reportArijit Roy
 
44Con Malware Workshop
44Con Malware Workshop44Con Malware Workshop
44Con Malware WorkshopIñaki Rodríguez
 
Authentication: keys, MAC
Authentication: keys, MACAuthentication: keys, MAC
Authentication: keys, MACShafaan Khaliq Bhatti
 
Introduction to malware analysis with Cuckoo Sandbox
Introduction to malware analysis with Cuckoo SandboxIntroduction to malware analysis with Cuckoo Sandbox
Introduction to malware analysis with Cuckoo Sandboxsysinsider
 
Protocols for Public Key Management
Protocols for Public Key ManagementProtocols for Public Key Management
Protocols for Public Key ManagementShafaan Khaliq Bhatti
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using HadoopDataWorks Summit
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network securitybabak danyal
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!F _
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysiswremes
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James EC-Council
 
Smart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecuritySmart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecurityOKsystem
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for ActivistsGreg Stromire
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...Hafez Kamal
 
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeGuy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeDevSecCon
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploitsvirtualabs
 
Keeping hundreds of code repositories consistent, and staying sane by Vincent...
Keeping hundreds of code repositories consistent, and staying sane by Vincent...Keeping hundreds of code repositories consistent, and staying sane by Vincent...
Keeping hundreds of code repositories consistent, and staying sane by Vincent...Agile India
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar reportInder NeGi
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler Cyphort
 
MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler Marci Bontadelli
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
 

More Related Content

Viewers also liked

Introduction to malware analysis with Cuckoo Sandbox
Introduction to malware analysis with Cuckoo SandboxIntroduction to malware analysis with Cuckoo Sandbox
Introduction to malware analysis with Cuckoo Sandboxsysinsider
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using HadoopDataWorks Summit
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network securitybabak danyal
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 

Viewers also liked (6)

Introduction to malware analysis with Cuckoo Sandbox
Introduction to malware analysis with Cuckoo SandboxIntroduction to malware analysis with Cuckoo Sandbox
Introduction to malware analysis with Cuckoo Sandbox
 
Protocols for Public Key Management
Protocols for Public Key ManagementProtocols for Public Key Management
Protocols for Public Key Management
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using Hadoop
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network security
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 

Similar to One Flaw over the Cuckoo's Nest

HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!F _
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysiswremes
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James EC-Council
 
Smart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecuritySmart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecurityOKsystem
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for ActivistsGreg Stromire
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...Hafez Kamal
 
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeGuy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeDevSecCon
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploitsvirtualabs
 
Keeping hundreds of code repositories consistent, and staying sane by Vincent...
Keeping hundreds of code repositories consistent, and staying sane by Vincent...Keeping hundreds of code repositories consistent, and staying sane by Vincent...
Keeping hundreds of code repositories consistent, and staying sane by Vincent...Agile India
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar reportInder NeGi
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler Cyphort
 
MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler Marci Bontadelli
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 

Similar to One Flaw over the Cuckoo's Nest (20)

HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
 
Smart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecuritySmart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones Security
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeGuy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node Code
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
 
Keeping hundreds of code repositories consistent, and staying sane by Vincent...
Keeping hundreds of code repositories consistent, and staying sane by Vincent...Keeping hundreds of code repositories consistent, and staying sane by Vincent...
Keeping hundreds of code repositories consistent, and staying sane by Vincent...
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar report
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler
 
MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Understand study
Understand studyUnderstand study
Understand study
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 

More from Iñaki Rodríguez

Seguridad en Internet para 6 Primaria Nuevo
Seguridad en Internet para 6 Primaria NuevoSeguridad en Internet para 6 Primaria Nuevo
Seguridad en Internet para 6 Primaria NuevoIñaki Rodríguez
 
Seguridad internet para niños
Seguridad internet para niñosSeguridad internet para niños
Seguridad internet para niñosIñaki Rodríguez
 
Seguridad internet para padres y madres (AMPAs)
Seguridad internet para padres y madres (AMPAs)Seguridad internet para padres y madres (AMPAs)
Seguridad internet para padres y madres (AMPAs)Iñaki Rodríguez
 

More from Iñaki Rodríguez (7)

Seguridad en Internet para 6 Primaria Nuevo
Seguridad en Internet para 6 Primaria NuevoSeguridad en Internet para 6 Primaria Nuevo
Seguridad en Internet para 6 Primaria Nuevo
 
Seguridad en Internet v2
Seguridad en Internet v2Seguridad en Internet v2
Seguridad en Internet v2
 
Seguridad internet para niños
Seguridad internet para niñosSeguridad internet para niños
Seguridad internet para niños
 
Seguridad internet para padres y madres (AMPAs)
Seguridad internet para padres y madres (AMPAs)Seguridad internet para padres y madres (AMPAs)
Seguridad internet para padres y madres (AMPAs)
 
APT - A Pretty Trojan
APT - A Pretty TrojanAPT - A Pretty Trojan
APT - A Pretty Trojan
 
Show me your kung fuzz
Show me your kung fuzzShow me your kung fuzz
Show me your kung fuzz
 
Mysql Motores
Mysql MotoresMysql Motores
Mysql Motores
 

Recently uploaded

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 

Recently uploaded (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 

One Flaw over the Cuckoo's Nest

  • 1. One FlAw over the Cuckoo’s Nest I˜naki Rodr´ıguez-Gast´on†, Ricardo J. Rodr´ıguez‡ « All wrongs reversed inaki@sensepost.com, rjrodriguez@fi.upm.es @virtualminds es ※ @RicardoJRdez †SensePost ‡Universidad Polit´ecnica de Madrid London, UK Madrid, Spain 1 de Noviembre, 2013 No cON Name 2013 Barcelona (Espa˜na)
  • 2. $whoarewe $whoarewe: command not found CLS member (2001) Ph.D. by UZ (2013) Working for UPM Trainee @ NcN, RootedCON, HIP Speaker @ NcN, HackLU, RootedCON, STIC CCN, HIP CISSP, CEH, GWAPT Security analyst @ SensePost Malware lover mlw.re staff Trainee @ 44CON . . . I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 2 / 39
  • 3. Agenda Outline 1 Motivation 2 Previous Concepts Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework 3 On the Anti-VMs & Anti-Sandboxing Techniques VM Detection Sandboxing detection 4 Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Introducing PinVMShield 5 Case Study: the pafish tool 6 Related Work 7 Conclusions and Future Work I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 3 / 39
  • 4. Motivation Outline 1 Motivation 2 Previous Concepts Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework 3 On the Anti-VMs & Anti-Sandboxing Techniques VM Detection Sandboxing detection 4 Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Introducing PinVMShield 5 Case Study: the pafish tool 6 Related Work 7 Conclusions and Future Work I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 4 / 39
  • 5. Motivation Motivation (I) Malware are increasing in number and complexity Targeted attacks also grown (specially industry and government espionage) How do we currently fight against malware? Firstly, to understand how a sample works (what is it doing?) Then, to figure out how it can be removed Lastly, to avoid future infections (can we detect it again?) I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 5 / 39
  • 6. Motivation Motivation (II) Figuring out what it is doing. . . Manual analysis Intensive Time-consuming I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 6 / 39
  • 7. Motivation Motivation (II) Figuring out what it is doing. . . Manual analysis Intensive Time-consuming Good if you are paid per working hour ¨⌣ Automatic analysis Just take a seat, and relax. . . Real problem here: automation of malware analysis tasks I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 6 / 39
  • 8. Motivation Motivation (II) Figuring out what it is doing. . . Manual analysis Intensive Time-consuming Good if you are paid per working hour ¨⌣ Automatic analysis Just take a seat, and relax. . . Real problem here: automation of malware analysis tasks Only manual analysis for weird (or interesting) samples I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 6 / 39
  • 9. Motivation Motivation (III) Sandbox Environments Computer resources are tightly controlled and monitored Current trending of malware analysis Commercial and free-license solutions Sandboxie JoeBox CWSandbox Cuckoo Sandbox PyBox Virtual Machine and Sandbox: a good combination I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 7 / 39
  • 10. Motivation Motivation (III) Sandbox Environments Computer resources are tightly controlled and monitored Current trending of malware analysis Commercial and free-license solutions Sandboxie JoeBox CWSandbox Cuckoo Sandbox PyBox Virtual Machine and Sandbox: a good combination Do malware samples detect VMs/sandbox environments? I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 7 / 39
  • 11. Motivation Motivation (III) Sandbox Environments Computer resources are tightly controlled and monitored Current trending of malware analysis Commercial and free-license solutions Sandboxie JoeBox CWSandbox Cuckoo Sandbox PyBox Virtual Machine and Sandbox: a good combination Do malware samples detect VMs/sandbox environments? Yes, they do. I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 7 / 39
  • 12. Motivation Motivation (IV) Can we avoid the detection of a VMs/sandbox environment? I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 8 / 39
  • 13. Motivation Motivation (IV) Can we avoid the detection of a VMs/sandbox environment? Yes, we can! (at least, we should try. . . ) I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 8 / 39
  • 14. Motivation Motivation (IV) Can we avoid the detection of a VMs/sandbox environment? Yes, we can! (at least, we should try. . . ) We’re gonna do it in a fancy way. . . using Dynamic Binary Instrumentation ⌣¨ Dynamic Binary Instrumentation (DBI) Analyse the runtime behaviour of a binary Executes arbitrary code during normal execution of a binary I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 8 / 39
  • 15. Motivation Motivation (V) Why DBI? Its advantages Binary instrumentation: advantages Programming language (totally) independent Machine-mode vision We can instrument proprietary software I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 9 / 39
  • 16. Motivation Motivation (V) Why DBI? Its advantages Binary instrumentation: advantages Programming language (totally) independent Machine-mode vision We can instrument proprietary software Dynamic Instrumentation: advantages No need to recompile/relink each time Allow to find on-the-fly code Dynamically generated code Allow to instrument a process in execution already (attach) I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 9 / 39
  • 17. Motivation Motivation (VI) Why DBI? Its disadvantages Main disadvantages Overhead (by the instrumentation during execution) + performance (analyst hopelessness!) Single execution path analysed I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 10 / 39
  • 18. Motivation Motivation (VII) Summary of contributions Our goal in this work Develop a Dynamic Binary Analysis (DBA) tool Integrated with Cuckoo Sandbox I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 11 / 39
  • 19. Motivation Motivation (VII) Summary of contributions Our goal in this work Develop a Dynamic Binary Analysis (DBA) tool Integrated with Cuckoo Sandbox Protects Cuckoo for being detected. . . I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 11 / 39
  • 20. Motivation Motivation (VII) Summary of contributions Our goal in this work Develop a Dynamic Binary Analysis (DBA) tool Integrated with Cuckoo Sandbox Protects Cuckoo for being detected. . . . . . and also for (some) VMs detection I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 11 / 39
  • 21. Previous Concepts Outline 1 Motivation 2 Previous Concepts Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework 3 On the Anti-VMs & Anti-Sandboxing Techniques VM Detection Sandboxing detection 4 Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Introducing PinVMShield 5 Case Study: the pafish tool 6 Related Work 7 Conclusions and Future Work I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 12 / 39
  • 22. Previous Concepts Cuckoo Sandbox Cuckoo Sandbox (I) What is Cuckoo Sandbox? Automated malware analysis tool Written in Python Reporting system (API calls, registry access, network activity) Extensible OpenSource I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 13 / 39
  • 23. Previous Concepts Cuckoo Sandbox Cuckoo Sandbox (II) Sample.exe (Suspended) cuckoo.py agent.py analyzer.py TCP socket (8000) Drop file submit.py web.py api.py packages (exe.py) .PIPErandom string Executes procces and injects cuckoomon.dll Cuckoomon.dll (Random name) Sample.exe API call resultserver Results from the analysis I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 14 / 39
  • 24. Previous Concepts Dynamic Binary Instrumentation: The Pin Framework Dynamic Binary Instrumentation: The Pin Framework (I) http://www.pintools.org What is Pin? Framework designed by Intel Allows to build easy-to-use, portable, transparent and efficient instrumentation tools (DBA, or Pintools) Recall: instrumentation enables the execution of arbitrary code during run-time of a binary Extensive API for doing whatever you can imagine Used for things like: Instruction profiling Performance evaluation Bug detection And malware analysis (here we are ¨⌣) I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 15 / 39
  • 25. Previous Concepts Dynamic Binary Instrumentation: The Pin Framework Dynamic Binary Instrumentation: The Pin Framework (II) How does Pin work? I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 16 / 39
  • 26. On the Anti-VMs & Anti-Sandboxing Techniques Outline 1 Motivation 2 Previous Concepts Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework 3 On the Anti-VMs & Anti-Sandboxing Techniques VM Detection Sandboxing detection 4 Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Introducing PinVMShield 5 Case Study: the pafish tool 6 Related Work 7 Conclusions and Future Work I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 17 / 39
  • 27. On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (I) How can an execution inside a VM be detected? I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 18 / 39
  • 28. On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (I) How can an execution inside a VM be detected? Detection ways Seek VME artifacts in processes, system files and/or registry I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 18 / 39
  • 29. On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (I) How can an execution inside a VM be detected? Detection ways Seek VME artifacts in processes, system files and/or registry Seek VME artifacts in memory I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 18 / 39
  • 30. On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (I) How can an execution inside a VM be detected? Detection ways Seek VME artifacts in processes, system files and/or registry Seek VME artifacts in memory Seek specific features of virtualised hardware I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 18 / 39
  • 31. On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (I) How can an execution inside a VM be detected? Detection ways Seek VME artifacts in processes, system files and/or registry Seek VME artifacts in memory Seek specific features of virtualised hardware Seek CPU instructions specific to VME I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 18 / 39
  • 32. On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (II) Artifacts in processes, system files and/or registry Some examples VMWare “VMTools” service References in system files to “VMWare” and vmx References in the registry to “VMWare” VirtualBox VBoxService.exe process (“VirtualBoxGuestAdditions”) References in the registry to “VBox” MS Virtual PC vmsrvc.exe, vpcmap.exe, vmusrvc.exe processes References in the registry to “Virtual” I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 19 / 39
  • 33. On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (III) Artifacts in memory The Red Pill Software developed by Joanna Rutkwoska, 2004 Uses the SIDT instruction (Store Interrupt Descriptor Table) VMWare: IDT in 0xFFxxxxxx VirtualPC: IDT in 0xE8xxxxxx In real machines: Windows (0x80FFFFFF), Linux (0xC0FFFFFF) Other options: GDT, LDT GDT, LDT also displaced in virtual environments Scoopy tool (http://www.trapkit.de) (IDT == 0xC0) || IDT == 0x80 GDT == 0xC0 LDT == 0x00 I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 20 / 39
  • 34. On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (V) Specific features of virtualised hardware Specific virtualised hardware Network controller USBs controller Host controller . . . I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 21 / 39
  • 35. On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (V) Specific features of virtualised hardware Specific virtualised hardware Network controller USBs controller Host controller . . . Seek specific “fingerprints” SCSI device type Network controller MAC Host controller type . . . I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 21 / 39
  • 36. On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (V) Specific features of virtualised hardware Specific virtualised hardware Network controller USBs controller Host controller . . . Seek specific “fingerprints” SCSI device type Network controller MAC Host controller type . . . Doo tool (also seeks Class IDs in the registry) I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 21 / 39
  • 37. On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (VI) CPU instructions specific to VME Some VMs add/use own instructions to communicate host/guest I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 22 / 39
  • 38. On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (VI) CPU instructions specific to VME Some VMs add/use own instructions to communicate host/guest Seek host/guest communication channel I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 22 / 39
  • 39. On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (VI) CPU instructions specific to VME Some VMs add/use own instructions to communicate host/guest Seek host/guest communication channel Jerry tool VMDetect tool I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 22 / 39
  • 40. On the Anti-VMs & Anti-Sandboxing Techniques VM Detection On the Anti-VMs & Anti-Sandboxing Techniques (VI) CPU instructions specific to VME Some VMs add/use own instructions to communicate host/guest Seek host/guest communication channel Jerry tool VMDetect tool Magic number. . . CONSTANT (WTF!) mov eax, 564D5868h ; “VMXh” mov ebx, 0 mov ecx, 0Ah mov edx, 5658 ; “VX” in eax, dx cmp ebx, 564D5868h I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 22 / 39
  • 41. On the Anti-VMs & Anti-Sandboxing Techniques Sandboxing detection On the Anti-VMs & Anti-Sandboxing Techniques (VIII) Sandbox Binary execution in controlled environment Examples: Sandboxie, Norman Sandbox Analyser, Anubis, Cuckoo, WinJail. . . They have some common and recognisable issues: DLLs loaded Read of ProductID key Windows username (API GetUserName) Window handle (API FindWindow) I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 23 / 39
  • 42. Mixing Cuckoo Sandbox and Pin DBI Outline 1 Motivation 2 Previous Concepts Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework 3 On the Anti-VMs & Anti-Sandboxing Techniques VM Detection Sandboxing detection 4 Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Introducing PinVMShield 5 Case Study: the pafish tool 6 Related Work 7 Conclusions and Future Work I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 24 / 39
  • 43. Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Mixing Cuckoo Sandbox and Pin DBI (I) Every file has a package Best place for the integration: Attaching Pin to the suspended process Directly executing the sample with Pin Pin and cuckoomon together I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 25 / 39
  • 44. Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Mixing Cuckoo Sandbox and Pin DBI (II) Attach to suspended process agent.py analyzer.py Drop file API call packages (exe.py) .PIPErandom string Executes procces and injects cuckoomon.dll PIN (Attach) Cuckoomon.dll (Random name) PIN Sample.exe Sample.exe (Suspended) Attach PIN to the sample I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 26 / 39
  • 45. Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Mixing Cuckoo Sandbox and Pin DBI (III) Pin integrated into a package agent.py analyzer.py Drop file API call packages (exe.py) .PIPErandom string Executes procces and injects cuckoomon.dll PIN (Suspended) Cuckoomon.dll (Random name) PIN Sample.exe Sample.exe I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 27 / 39
  • 46. Mixing Cuckoo Sandbox and Pin DBI Introducing PinVMShield Mixing Cuckoo Sandbox and Pin DBI (IV) Introducing PinVMShield (1) <<Interface>> Pin main(argc : int, argv[] : char*) : int Fini(code : INT32, *v : void) : void common logFilename : char* = "file.out" logFile : FILE* stristr(*s1 : char, *s2 : char) : *char printMessage(*msg : char) : void PinWrapperWinAPI PinVMShield #funcName[MAX_LENGTH_FUNCNAME] : char Image(img : IMG, *v : void) #isTryingToDetectVMs(*s : char) : bool #FindRTNByNameA(img : IMG) : RTN #FindRTNByNameW(img : IMG) : RTN #GetPrototypeFunctionA() : PROTO #GetPrototypeFunctionW() : PROTO #GetPrototypeFunction(*funcName : char) : PROTO #ReplaceFunctionSignature(rtn: RTN, proto: PROTO) : void vWinAPIs 0..* WrapperGetModuleHandle -myGetModuleHandle(orig: AFUNPTR, lpModuleName: LPCTSTR, *ctx: CONTEXT): HMODULE WrapperProcess32FirstAndNext -myProcess32FirstAndNext(orig: AFUNPTR, hSnapshot: HANDLE, *ctx: CONTEXT, lppe: LPPROCESSENTRY32) : bool I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 28 / 39
  • 47. Mixing Cuckoo Sandbox and Pin DBI Introducing PinVMShield Mixing Cuckoo Sandbox and Pin DBI (...): our Tool Introducing PinVMShield (2) APIs fooled GetUserNameA/W GetUserNameExA/W RegQueryValueA/W RegQueryValueExA/W RegOpenKeyA/W RegOpenKeyExA/W GetModuleHandleA/W GetModuleHandleExA/W GetFileAttributesA/W Process32First / Process32Next FindWindowA/W FindWindowExA/W CreateFileA/W CreateNamedPipeA/W GetCursorPos Alpha version available for download: (soon) https://bitbucket.org/rjrodriguez/pinvmshield/ I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 29 / 39
  • 48. Case Study: the pafish tool Outline 1 Motivation 2 Previous Concepts Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework 3 On the Anti-VMs & Anti-Sandboxing Techniques VM Detection Sandboxing detection 4 Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Introducing PinVMShield 5 Case Study: the pafish tool 6 Related Work 7 Conclusions and Future Work I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 30 / 39
  • 49. Case Study: the pafish tool Case Study: the pafish tool (I) Tool that incorporates several detections for vms and sandboxing Developed by Alberto Ortega In v.0.2.5.1 (the one of case study): Generic Sandbox Sandboxie QEMU Wine VirtualBox VMWare I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 31 / 39
  • 50. Case Study: the pafish tool Case Study: the pafish tool (I) Tool that incorporates several detections for vms and sandboxing Developed by Alberto Ortega In v.0.2.5.1 (the one of case study): Generic Sandbox Sandboxie QEMU Wine VirtualBox VMWare Do you wanna know more about the blue fish? I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 31 / 39
  • 51. Case Study: the pafish tool Case Study: the pafish tool (I) Tool that incorporates several detections for vms and sandboxing Developed by Alberto Ortega In v.0.2.5.1 (the one of case study): Generic Sandbox Sandboxie QEMU Wine VirtualBox VMWare Do you wanna know more about the blue fish? ! attend Alberto’s session! (tomorrow afternoon) I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 31 / 39
  • 52. Case Study: the pafish tool Case Study: the pafish tool (II) It’s demo time! I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 32 / 39
  • 53. Related Work Outline 1 Motivation 2 Previous Concepts Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework 3 On the Anti-VMs & Anti-Sandboxing Techniques VM Detection Sandboxing detection 4 Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Introducing PinVMShield 5 Case Study: the pafish tool 6 Related Work 7 Conclusions and Future Work I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 33 / 39
  • 54. Related Work Related Work (I) CWSandox Sandbox environment Three design criteria: automation, effectiveness and correctness Performs a dynamic analysis API hooking I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 34 / 39
  • 55. Related Work Related Work (I) CWSandox Sandbox environment Three design criteria: automation, effectiveness and correctness Performs a dynamic analysis API hooking It is detected by sandbox detection techniques I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 34 / 39
  • 56. Related Work Related Work (II) Sandbox + DBI Pin as DBI framework Own-created sandbox environment Two execution environments: Testing: binary execution is traced. Traces are checked against some security policies Real: binary execution is monitored avoiding harmful behaviours I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 35 / 39
  • 57. Related Work Related Work (II) Sandbox + DBI Pin as DBI framework Own-created sandbox environment Two execution environments: Testing: binary execution is traced. Traces are checked against some security policies Real: binary execution is monitored avoiding harmful behaviours Our solution also monitors the execution but. . . I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 35 / 39
  • 58. Related Work Related Work (II) Sandbox + DBI Pin as DBI framework Own-created sandbox environment Two execution environments: Testing: binary execution is traced. Traces are checked against some security policies Real: binary execution is monitored avoiding harmful behaviours Our solution also monitors the execution but. . . besides avoids sandbox detection! I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 35 / 39
  • 59. Conclusions and Future Work Outline 1 Motivation 2 Previous Concepts Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework 3 On the Anti-VMs & Anti-Sandboxing Techniques VM Detection Sandboxing detection 4 Mixing Cuckoo Sandbox and Pin DBI Sticking both Programs Introducing PinVMShield 5 Case Study: the pafish tool 6 Related Work 7 Conclusions and Future Work I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 36 / 39
  • 60. Conclusions and Future Work Conclusions and Future Work (I) PinVMShield Integrated with Cuckoo Sandbox I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 37 / 39
  • 61. Conclusions and Future Work Conclusions and Future Work (I) PinVMShield Integrated with Cuckoo Sandbox X Avoids Cuckoo (and other) detections commonly realised by malware I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 37 / 39
  • 62. Conclusions and Future Work Conclusions and Future Work (I) PinVMShield Integrated with Cuckoo Sandbox X Avoids Cuckoo (and other) detections commonly realised by malware X Not currently detected! ⌣¨ I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 37 / 39
  • 63. Conclusions and Future Work Conclusions and Future Work (I) PinVMShield Integrated with Cuckoo Sandbox X Avoids Cuckoo (and other) detections commonly realised by malware X Not currently detected! ⌣¨ X Main drawback: runtime I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 37 / 39
  • 64. Conclusions and Future Work Conclusions and Future Work (I) PinVMShield Integrated with Cuckoo Sandbox X Avoids Cuckoo (and other) detections commonly realised by malware X Not currently detected! ⌣¨ X Main drawback: runtime X Coding C++ is like a pain in the ass I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 37 / 39
  • 65. Conclusions and Future Work Conclusions and Future Work (I) PinVMShield Integrated with Cuckoo Sandbox X Avoids Cuckoo (and other) detections commonly realised by malware X Not currently detected! ⌣¨ X Main drawback: runtime X Coding C++ is like a pain in the ass We do have more control on malware (binary) execution I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 37 / 39
  • 66. Conclusions and Future Work Conclusions and Future Work (II) Future Work Find a logo Stand-alone app Improve anti-detection techniques (not only hooking. . . ) I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 38 / 39
  • 67. Conclusions and Future Work Conclusions and Future Work (II) Future Work Find a logo Stand-alone app Improve anti-detection techniques (not only hooking. . . ) Replace (totally) cuckoomon.dll I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 38 / 39
  • 68. Conclusions and Future Work Conclusions and Future Work (II) Future Work Find a logo Stand-alone app Improve anti-detection techniques (not only hooking. . . ) Replace (totally) cuckoomon.dll Add anti-DBI techniques I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 38 / 39
  • 69. Conclusions and Future Work Conclusions and Future Work (II) Future Work Find a logo Stand-alone app Improve anti-detection techniques (not only hooking. . . ) Replace (totally) cuckoomon.dll Add anti-DBI techniques Test in real malware samples I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 38 / 39
  • 70. Conclusions and Future Work Conclusions and Future Work (II) Future Work Find a logo Stand-alone app Improve anti-detection techniques (not only hooking. . . ) Replace (totally) cuckoomon.dll Add anti-DBI techniques Test in real malware samples Acknowledgments Alberto Ortega (pafish) NcN staff I. Rodr´ıguez-Gast´on, R.J. Rodr´ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 38 / 39
  • 71. One FlAw over the Cuckoo’s Nest I˜naki Rodr´ıguez-Gast´on†, Ricardo J. Rodr´ıguez‡ « All wrongs reversed inaki@sensepost.com, rjrodriguez@fi.upm.es @virtualminds es ※ @RicardoJRdez †SensePost ‡Universidad Polit´ecnica de Madrid London, UK Madrid, Spain 1 de Noviembre, 2013 No cON Name 2013 Barcelona (Espa˜na)