Webinar: How hackers are making your security obsolete

1©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.
How Hackers are Making Your Security Obsolete
Sigurdur Stefnisson, Vice President of Threat Research
John Callon, Senior Director of Product Marketing
November 15, 2016

2©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
• What’s Happening: The Evolution of Threats
• How Hyper-Evasive Threats Evade Detection
• Ransomware case studies: Cerber, Locky
• Limitations of Traditional Detection
• Sandboxing appliances
• Conclusions for Real Life
Agenda

3©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
• Harmless-to-bad: Basic malware
• The Ugly: Morphing malware
• The Really Ugly: Hyper-evasive malware
The Evolution of Evasiveness
When life was simpler…

Researchers playing non-malicious “gotcha”
1971 Creeper – experiment on ARPANET to infect DEC mainframes
1974 The Rabbit – fork bomb which replicated until System 360 crashed
1975 ANIMAL – first trojan, for the UNIVAC 1108, non-malicious
Personal computers start a new industry
1981 Elk Cloner was written for Apple II as a joke – spread by floppy disk
1983 Term “virus” coined in 1983 by Fred Cohen
1986 First IBM PC virus epidemic (Brain Boot Sector aka “Pakistani Flu”)
- infected the boot sector of 360k floppies
1987 First self-encrypting virus (Cascade)
1988 First worm in the wild (Morris Worm)
1989 First ransomware (AIDS Trojan)
1989 .
In the beginning…there was malware

• Emerged in the early 1990s
• Often basic viruses under the hood
• Malicious code that changes its code as it is replicating
• Mutates and changes its appearance each time it infects a new
object in order to avoid pattern recognition by antivirus software
• Oligomorphic, Polymorphic, Metamorphic
• Detection responses
• Emphasis on heuristics detection and not signatures to cope with
the flood of different virus permutations
• Application sandboxing began to develop during the 1990s as a
key response to polymorphic malware
Morphing malware

1990 The first polymorphic malware: Chameleon
1991 The first widespread polymorphic virus found in the wild (Tequila)
1992 DAME toolkit turns ordinary viruses into polymorphic viruses
1992 The first virus creation tool kit (Virus Creation Laboratory – VCL)
1995 The first macro virus is created
2000 Loveletter.A spread via outlook infected millions of PC’s in hours
2001 Nimda spreads among others through vulnerabilities in Microsoft windows
2002 Simile/Etap – a cross-platform metamorphic virus
2008 Conficker worm; at least five variants to keep up with efforts to kill it
Morphing Malware Timeline

• The polymorphic engine doesn't reside within the malware itself
• Back-end web services hiding the mutation engine
• Each time a download occurs from a URL you receive a different
file due to sophisticated algorithms
• Attack methods frequently involve encryption, droppers and
packers
• Started to appear ~2007
Complexity cubed: Server-side polymorphism

• An emerging trend in last few years
• Originates from “unknown” sources or from code lodged in
compromised, trusted sites
• Rarely contains obviously suspicious code
• Incorporates many known evasion techniques within a single piece
of malware
• As the use of sandboxing for malware defenses has increased,
malware increasingly is “sandbox aware”
Today: “Hyper-Evasive” Malware

• Ransomware case studies: Cerber, Locky
Agenda

Virtual machine checks:
• Parallels
• QEMU
• Oracle VirtualBox
• VMWare
Case 1: Cerber ransomware
Debugger process checks:
• CommView Network Monitor
• WinDump
• WireShark
• DumPCAP
• OllyDbg
• IDA Disassembler
Runs at least 28 processes to…
• Check if debugger installed to detect the malware
• Check for the presence of virtual machines
• Check specifically for the presence of sandboxes
• SysAnalyzer
• SniffHit
• SckTool
• Proc Analyzer
• HookExplorer
• MultiPot

Cerber ransomware: Sandbox checks
• Loaded modules checks
• sbiedll.dll – Sandboxie
• dir_watch.dll, api_log.dll –
Sunbelt Sandbox
• Volume serial number checks
• ThreatExpert
• Malwr
• Mutex name checks
• Deep Freeze - Frz_State
• Other file path checks on
modules used in sandbox setups
• C:popupkiller.exe
• C:stimulator.exe
• C:TOOLSexecute.exe
• String checks from memory
• test_item.exe
• sand-box
• cwsandbox
• sandbox

• Emerged February 2016, multiple new
variants on a daily basis
• Usually emails with business finance-
related topics to lure users into
opening its attachment
• Cyren honeypots saw 1.5 million
unique samples in 24 hours on 3/31
• 40% of all malicious emails in March
contained a Locky JavaScript variant
Case 2: Locky ransomware

• Group behind it was
clearly checking/QAing
detection performance
and adapting
• Scripts regularly mutated
and obfuscated with new,
additional evasion
techniques
Locky: The only constant is change
Locky adaptations to evade detection
Jun 27 New sandbox evasion technique
Jul 4 New downloading decryption
July 7 Attachment format change
Jul 14 Attachment format change
Jul 21 Delivery change – embedded in JS
Aug 25 New obfuscation layer – DLL binary
Sep 1 New distribution format – HTA files

Guess correctly and win a prize…

Locky JavaScript code shown in editor:
Numerous variables containing chunks
of strings, which are concatenated at
runtime to build needed strings like
ActiveXObject names and methods
Locky: Code obfuscation II

• Ransomware file won’t execute without downloader
• Payload only runs when executed with a specific string argument
supplied by the downloader: “123”
• Prevents sandboxes from analyzing the binary payload if processed
separately from the script – the ransomware won’t execute on its own.
• Another layer of obfuscation on top of preexisting
• JavaScript hidden in ZIP file
• Binary payload packer injects Locky malware code into another process
Sandbox evasion: Need downloader (June 27)

• Used a new technique
for downloading Locky's
binary executable
• New Locky JS script runs
a decryption routine
before running the
binary executable
• Previous Locky JS script
only had a “download
and execute” routine
Locky: New decryption routine (July 4)

Side-by-side
comparison of a
snapshot of the
downloaded Locky
binary code,
encrypted (left) and
then decrypted (right)
July 2016

• Switch to Word docs with macros (July 7)
• Downloader component switched to Word documents with embedded
macros (.docm extension)
• JavaScript detection considered high
• Switch from .js to .wsf (July 14)
• Zipped Windows Script File (WSF) – allows mixing JScript and VBScript
languages within a single file, so still JavaScript underneath
• .wsf files not blocked by default in many email security systems
Switching things up

• New wave of Locky with the Windows
executable now embedded in JavaScript
• The attached JavaScript file evolved from
being a downloader component into
becoming the actual ransomware
• Size of the attached ZIP file is significantly
larger, 260KB vs. 10KB
• Large array variable holds the encrypted
Locky ransomware binary, which is decrypted
and saved to disk before being executed
Locky: Embedding malware in script (July 20)
Code showing part of large array variable

• Updated its delivery mechanism by adding another layer of
obfuscation to its downloader script, which decrypts and executes
the real Locky downloader script
• Instead of downloading an EXE binary, now comes as a DLL binary
• The DLL is using a custom packer to prevent anti-malware scanners
from easily detecting it.
• The DLL is loaded using rundll32.exe
More obfuscation: DLL binary (August 25)

• New delivery mechanism
• Delivering the Locky downloader
script component as HTA files
• HTA’s are a Windows HTML
application which run as “fully
trusted” with Internet Explorer
• Emails disguised as voice message
notifications sent by Peach Telecom,
which suggests that the campaign is
targeting users in the UK
Locky: Ransomware as voice message (Aug. 26)

Agenda
• Appliance Sandboxing

• Detecting the existence of a virtual environment
• Delayed activation – attempting to “outwait” the sandbox
• Awaiting human interaction like mouse movements that could not
result from a simulation
• Making payload execution conditional
• e.g., recent ransomware downloaders have added the requirement
of an additional parameter for the execution of the downloaded
ransomware code
Recap: Common sandbox evasion techniques

• It’s popular! Over 50% of SMBs have deployed
• It’s expensive! Hardware costs $$$
• Fixed amount of physical resources of an on-premise appliance
• i.e., memory and processing power)
• Limits the scalability of the solution in terms of total analysis object load and
depth of analysis performed.
• Reliance on virtualized environments
• the presence of which can be detected by malware
• reduces costs, but…
• “Sandbox specificity”
Limitations of detection via traditional sandboxing

• Any specific sandbox is best at one kind of analysis (and not
the others)
• e.g., OS or registry or network behavior analysis
• No collaborative analysis model
• No diversity of environments
• Enables malware developers to optimize analysis evasion
techniques for each sandbox platform
“Sandbox specificity” problem for appliance SB’s

Agenda

• This has been a long-term battle, and will continue into the future
• Nobody has the magic bullet
• Need layered security
• Need to have diversity in sandboxing environments
• Need to break out of appliance architectures
• Time to apply cloud computing power to the problem: Cyren Cloud
Sandbox Array.
Conclusions for real life

600M+
Users protected
17B+
Transactions daily
130M+
Threats blocked daily
Cyren GlobalViewTM
Security Cloud
CYREN
DATA CENTERS

100% cloud-delivered SaaS enterprise security

Questions and next steps
Free online web security health check
- 30 second evaluation of your current web security infrastructure
- Go to home page or cyren.com/securitytest
Request a demo
- For Cyren WebSecurity or EmailSecurity
- Go to Contact us at home page
Ransomware Threat Report
- Available at web site
- Also many articles on Locky at our blog
Botnets: A Deep Dive
- Upcoming threat report and webinar on December 7, 2016

Webinar: How hackers are making your security obsolete

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Webinar: How hackers are making your security obsolete

Similar to Webinar: How hackers are making your security obsolete (20)

More from Cyren, Inc

More from Cyren, Inc (16)

Recently uploaded

Recently uploaded (20)

Webinar: How hackers are making your security obsolete