In this presentation, I present an automatically disarmament system for armed malware with anti-sandboxing. The system targets on 1) Host-fingerprinting malware like citadel, 2) armed malware with general anti-sandboxng for automated sandbox analyzer. An approach of disarmament focuses on exit reason and exit before activity in malware execution. I have developing CPU emulator-based disarmament system with instrumentation. The system suggests a suitable environment for dynamic analysis for individual malware.

1. FFRI,Inc.
PacSec 2014
TENTACLE:
Environment-Sensitive Malware Palpation
FFRI, Inc.
http://www.ffri.jp
Ver 2.00.01
1
Yosuke Chubachi, Kenji Aiko

2. FFRI,Inc.
About us
2
Yosuke Chubachi is a security
engineer at FFRI, Inc. since this spring.
He studied at the graduate school of
information system engineering,
University of Tsukuba. He is a Security
Camp lecturer and a member of
executive committee of SECCON since
2012.
Kenji Aiko is a programmer at FFRI,
Inc., and is a one of the developers of
"FFRI yarai" which is a targeted attack
protection software. He is a Security
Camp lecturer and a member of
executive committee of SECCON since
2012.

3. FFRI,Inc.
Contents
• Background/Motivation
• Taxonomy of anti-‐‑‒sandbox techniques
• Tentacle Design
• Implementation
• Experiments
• Conclusion
3

4. FFRI,Inc.
Background
• Malware explosion
– 120,000,000/recent
year
• Antivirus is dead…?
4
AV Test: Statistics –New Malware- (Nov. 05 2014 viewed)
http://www.av-test.org/en/statistics/malware/

5. FFRI,Inc.
We need dynamic and automated malware analysis
• “Scalability” is most important factor in
information explosion era
– Cloud
– Bigdata
– IoT
• Malware analysis also needs “scalable”
methodology
– Automation is justice
5

6. FFRI,Inc.
Obi wan said, “Use the sandbox, Luke”
• Security engineer and researcher use
sandbox environment for malware analyzing
• Automated dynamic analysis technology also
based on VM/application sandbox
– Anubis(online sandbox)
– Cuckoo Sandbox(VirtualBox base)
– Some commercial UTM Appliance
– Some commercial endpoint security solution
6

7. FFRI,Inc.
Sophisticated malware strike back
• Sophisticated malware arms many anti-‐‑‒
analyze techniques
• Naturally using targeted attacks, cyber
espionage, banking malware
• We called those malware “evasive malware”
7

8. FFRI,Inc.
Related work
• BareCloud [Dhilung K et al., USENIX SECʼ’14]
– “5,835 evasive malware out of 110,005 recent
samples”
• Prevalent Characteristics in Modern Malware
[Gabriel et al., BH USA ʻ‘14]
– “80% malware detect vmware using backdoor port”
8
What do you think?

9. FFRI,Inc.
Case study: Citadel
• Some citadel detects the execution
environment and do not engage in malicious
behavior when the current host differs from
the infected host
– To avoid dynamic malware detection(like sandbox
analysis)
• Showing 2 examples
– Host-‐‑‒fingerprinting
– VM/Sandbox detection
9

10. FFRI,Inc.
Host-fingerprinting
• Embedding infected hostʼ’s unique value into
execution binary
10
Citadel
Unpacker
Malicious
code
Self-rewriting
when
original malware
execution
Environment-sensitive
Citade l
Unpacker
Malicious
code with
host unique
value
Different signature pattern

11. FFRI,Inc.
Host-fingerprinting(cont’d)
• Getting GUID on system drive using the
GetVolumeNameForVolumeMountPoint()
• Comparing running hostʼ’s GUID value and embedded
infected hostʼ’s value
• Process executes malicious code if GUID values are
consistent
11
Infected host’s GUID(packed)
Unpacked GUID
Format:
{XXXXXXXX-XXXX-XXXX-XXXXXXXX}
Unpack
Environment-sensitive
Citade l
Unpacker
Malicious
code with
host unique
value

12. FFRI,Inc.
VM/Sandbox detection
• Checking processʼ’s product name
– like ”*vmware*”, ”*virtualbox”
• Scanning specific files and devices
– C:popupkiller.exe
– C:stimulator.exe
– C:TOOLSexecute.exe
– .NPF_̲NdisWanIp
– .HGFS
– .vmci
– .VBoxGuest
12

13. FFRI,Inc.
Citadel behavior of host/environment inconsistency
• For example:
– Process termination
– Running fake(or harmless) code
13
Not really matter
A serious matter
Initialization
(unpack)
Sandbox(incl. VM)
Detection
Malicious
routine
Decoy
routine
If running
on an analyzing
environment

14. FFRI,Inc.
Citadel runtime activities
14
Initialization
Scouting
Malicious
Behavior
Memory
Persistent
unpack
storage
Environment-awareness
Network
Host fingerprinting
Malicious code execution
Code
injection
Connecting
CC server
Unauthorized
Access

15. FFRI,Inc.
Aim of evasive malware
• Signature-‐‑‒based AV detection avoiding
• Anti-‐‑‒analyzing
– Anti-‐‑‒security engineer
– Sandbox evasion
15

16. FFRI,Inc.
Motivation
• An automatic investigation into a condition
used by sandbox evasion
– Faking bare-‐‑‒metal environment on sandboxes
16
InitializationSandbox(incl. VM)
Pass!
(unpack)
Detection
Malicious
routine
Transparent Sandbox
Using Investigated Conditions

17. FFRI,Inc.
Know Your Enemy
TAXONOMY OF ANTI-SANDBOX
17

18. FFRI,Inc.
Taxonomy of anti-sandbox techniques
• Anti-‐‑‒sandbox maneuver
– Environment awareness
• Using result of sandbox detection
– (Stalling code)
– (User interaction checks)
• Sandbox (debug/sandbox/vm) detection
– Artifact fingerprinting
– Execution environment fingerprinting
– Execution timing detection
18

19. FFRI,Inc.
Environment awareness
• Checking host environments
• If malware runs decoy routine then it detects
analyzerʼ’s sign
– Malicious behavior never executed
19
Initialization
(unpack)
Sandbox(incl. VM)
Detection
Malicious
routine
Decoy
routine
If running
on an analyzing
environment

20. FFRI,Inc.
Sandbox (debug/sandbox/vm) detection
20
Host
Environment aware Malware
VM
related
Artifacts
Sandbox
specific
Artifacts
VMM?
Hardware
Execution
Environment
Fingerprinting
Artifact Fingerprinting
Execution
Timing Detection

21. FFRI,Inc.
Artifact fingerprinting
• Sandbox/VM related processes
– Like vmware, virtualbox etc.
• Sandbox/VM environment specific files
• Sandbox/VM environment specific registry keys
• Sandbox/VM environment specific devices and its attributes
– ex). QEMU HDD vendor name
• Sandbox/VM Specific I/O port
– VMWare backdoor port is most famous artifact in malware
21

22. FFRI,Inc.
Execution environment fingerprinting
• Using virtual machine implementation specific
platform value and reaction
– CPUID instruction result
– Redpill
• Using LDT/GDT and IDT incongruousness
– Interesting research here: Cardinal Pill Testing
22

23. FFRI,Inc.
Execution timing detection
• For example:using clock count differential
– Traditional anti-‐‑‒debug technique
23
Comparing two
TSC differentials

24. FFRI,Inc.
Targets of today’s presentation
• Anti-‐‑‒sandbox maneuver
ü Environment awareness
• Using result of sandbox detection
p Stalling code
p User interaction checks
• Sandbox (debug/sandbox/vm) detection
ü Artifact fingerprinting
ü Execution environment fingerprinting
p Execution timing detection
24

25. FFRI,Inc.
Automatically disarmament system for armed malware with
anti-‐‑‒sandboxing
TENTACLE: DESIGN
25

26. FFRI,Inc.
Concept: malware palpation
1. “Thousand form” sandbox runs malware again
and again
– Changing “virtual” artifacts exposure each execution
for execution branch detection
2. Retroactive condition analysis
– Specifying “branch condition” on unnatural process
termination
26

27. FFRI,Inc.
Malware palpation
• Sandbox runs same malware again and again
• Sandbox fakes different sandbox-‐‑‒related
artifacts each malware execution
– Detecting execution difference using code execution
integrity(CEI)
27
vmmouse
.sys
user-space
kernel-space
Runtime Libraries
Sandbox
API
fakingemulato
r
user-space
kernel-space
Malware
(fist execution)
Runtime Libraries
Sandbox
API
Not foundemulato
r
Malware
(second execution)

28. FFRI,Inc.
Code Execution Integrity(CEI)
• CEI shows uniqueness of instruction
execution history
– Inspired by TPM trust chaining
• “measurement” per instruction
28
Digest[i] = SHA1( fetched CPU instruction + Digest[i-1] )
mov $0x616b6157, %eax
0xb857616b61
push %ebx
0x53
push %eax
0x50
mov $4, %edx
0xba04000000
mov $1, %ebx
0xbb01000000
d[0] = SHA1(0xb857616b61)
d[1] = SHA1(d[0] + 0x53)
d[2] = SHA1(d[1] + 0x50)
d[3] = SHA1(d[2]
+0xba04000000)
...

29. FFRI,Inc.
Execution branch detection
• Using execution step count and code
execution integrity(CEI) value
29
in eax, dx;
cmp ebx,
jne notVmware
jmp isVmware
notVmware: mov rc, 0
jmp done
isVmware: mov rc, eax
jmp done
CEI[0]1
CEI[1]1
CEI[2]1
CEI[3]1
CEI[4]1
CEI[0]2
CEI[1]2
CEI[2]2
CEI[3]2
CEI[4]2
CEI[5]2

30. FFRI,Inc.
Retroactive condition analysis
• Sandbox retroactive from
termination to terminated
reason API and arguments
when suspicious termination
– Only a few steps executions
– To terminate before network
activities
sub esp, 1024
mov ebx, esp
push 400h
push ebx
push 0h
call GetModuleFileNameA
lea eax, MyPath
push eax
push ebx
call lstrcmpA
test eax, eax
push 0h
lea eax, MsgCaption
push eax
jz _ok
lea eax, NGMsgText
push eax
push 0h
call MessageBoxA
invoke ExitProcess, NULL
30
_ok: lea eax, OKMsgText

31. FFRI,Inc.
know thyself
TENTACLE: IMPLEMENTATION
31

32. FFRI,Inc.
Tentacle implementation overview
32
• Tentacle based on IA-‐‑‒32 CPU emulator
user-space
kernel-space
Host
Target’
Process
Runtime Libraries
(Virtualized)
Runtime Libraries
FILE’
HEAP’
CPU Emulator
Memory
Context ’
Execution
Context ’

33. FFRI,Inc.
IA-32 CPU emulator-based sandbox
• We have already CPU Emulator-‐‑‒based
sandbox for win32 execution (in-‐‑‒house use)
– Like IDA Bochs PE operation mode
33
Target Program
(loaded)
Decode
Execution
CPU Emulator
Instruction
Fetch
Address Resolution
Applying
Execution Result

34. FFRI,Inc.
IA-32 CPU Emulator: Virtual contexts
34
Virtual Process
Contexts
Virtual Module(DLL)
Contexts
Virtual Resources
(handle) Contexts
Virtual Heap
Contexts
CPU Emulator
Process
Data
Code
Target
Process
Virtual CPU
Contexts
Target Process’s
VA Space contexts
DLLs
Headers

35. FFRI,Inc.
IA-32 CPU Emulator: API emulation
35
Virtual advapi32.dll
Functions
CPU Emulator
Process
kernel32.dl l
user32.dl l
advapi32.dl l
msvcrt.dl l
Target
Process
API Emulation
Components
DLLs
…
Virtual kernel32
Functions
Virtual user32.dll
Functions
Virtual msvcrt.dll
Functions
Virtualized
Resource Manager

36. FFRI,Inc.
Limitations
• The original CPU emulator supports a limited API
• The original CPU emulator supports a limited CPU
instruction
36

37. FFRI,Inc.
Tentacle implementation details
• Nyarlathotep “Thousand Form” Sandbox
– Camouflaging sandbox/vm related artifact
existence
– Execution branch detection using CEI
• Retroactive condition analysis
• Necronomicon
– Execution logging framework
37

38. FFRI,Inc.
Necronomicon
• Necrnomicon logs instruction per execution
– Tracing specific API call and its arguments for
Retroactive condition analysis
• lstrcmp, GetModuleFileName,
GetVolumeNameForVolumeMountPoint…
• Code execution integrity calculation per
execution
– For execution branch detection
38

39. FFRI,Inc.
Nyarlathotep “Thousand Form” Sandbox
• For example, VMWare related artifacts
– backdoor port
– vm-‐‑‒related files (2 files)
– registry entries (1 entry)
• Sandbox fake “in” instruction result for
backdoor port check
• Files and registry entry virtualization used by
sandboxʼ’s own virtual resource manager
39

40. FFRI,Inc.
Experiments
• Disarmament #01: Artifact fingerprinting
sample
• Disarmament #02: Comparing Disk GUID
value sample
• Disarmament #03: Comparing executable file
path sample
40

41. FFRI,Inc.
Disarmament #01: Artifact fingerprinting sample
41
int _tmain(int argc, _TCHAR* argv[])
{
int count = 0;
delay();
if ( sbdetect_vmware_backdoor_port() 0){
printf(VMWare backdoor port detected. I am on the virtual.);
}
if ( sbdetect_vmware_sysf01() == 0 ){
printf(vmmouse.sys detected. I am on the virtual.n);
exit(1);
}
if ( sbdetect_vmware_sysf02() == 0 ){
printf(vmmouse.sys detected. I am on the virtual.n);
exit(1);
}
if ( sbdetect_vmware_reg01() == 0 ){
printf(RegKey: SOFTWAREVMware, Inc.VMware Tools
detected. I am on the virtual.n);
exit(1);
}
//Malicious behavior
printf(malicious behaviorn”);
return 0;
}

42. FFRI,Inc.
sbdetect_vmware_backdoor_port()
42
int sbdetect_vmware_backdoor_port(void)
{
int rc = 0;
__try
{
__asm
{
mov eax, 'VMXh'
mov ebx, 0;
mov ecx, 0xA
mov edx, 'VX' // port
in eax, dx; // read port
cmp ebx, 'VMXh’ // Vmware echo ‘VMXh’
jne notVmware
jmp isVmware
notVmware:
mov rc, 0
jmp done
isVmware:
mov rc, eax
done:
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
rc = 0;
}
return rc;
}

43. FFRI,Inc.
sbdetect_vmware_sysf01()
43
//
// Detect proven: Windows 7 32bit
// Not detected: Windows 7 64bit
//
int sbdetect_vmware_sysf01() {
DWORD ret;
TCHAR target[255] = %WINDIR%system32driversvmmouse.sys;
ret = GetFileAttributes(target);
if( ret != INVALID_FILE_ATTRIBUTES ){
return 0;
}
else{
return 1;
}
}

44. FFRI,Inc.
sbdetect_vmware_sysf02()
44
//
// Detect proven: Windows 7 32bit
// Not detected: Windows 7 64bit
//
int sbdetect_vmware_sysf02() {
DWORD ret;
TCHAR target[255] = %WINDIR%system32driversvmhgfs.sys;
ret = GetFileAttributes(target);
if( ret != INVALID_FILE_ATTRIBUTES ){
return 0;
}
else{
return 1;
}
}

45. FFRI,Inc.
Disarmament #01
45

46. FFRI,Inc.
Disarmament #02: Comparing Disk GUID value
sample
46
.386
.model flat,stdcall
option casemap:none
include masm32includewindows.inc
include masm32includekernel32.inc
includelib masm32libkernel32.lib
include masm32includeuser32.inc
includelib masm32libuser32.lib
.data
DriveC db C:, 0
VolumeC db ?Volume{8e7e8884-600d-11e4-
ae07-806e6f6e6963}, 0
MsgCaption db MESSAGE, 0
OKMsgText db Normal Message, 0
NGMsgText db Detect Message, 0
.code
start:
sub esp, 1024
mov ebx, esp
sub esp, 4
mov eax, esp
push eax
push ebx
lea eax, DriveC
push eax
call GetVolumeNameForVolumeMountPointA
lea eax, VolumeC
push eax
push ebx
call lstrcmpA
test eax, eax
push 0h
lea eax, MsgCaption
push eax
jz _ok
lea eax, NGMsgText
push eax
push 0h
call MessageBoxA
invoke ExitProcess, NULL
_ok:
lea eax, OKMsgText
push eax
push 0h
call MessageBoxA
invoke ExitProcess, NULL
end start

47. FFRI,Inc.
Disarmament #02
47

48. FFRI,Inc.
Disarmament #03 Comparing executable file
path sample
48
.386
.model flat,stdcall
option casemap:none
include masm32includewindows.inc
include masm32includekernel32.inc
includelib masm32libkernel32.lib
include masm32includeuser32.inc
includelib masm32libuser32.lib
.data
MyPath db C:xsample2.exe, 0
MsgCaption db MESSAGE, 0
OKMsgText db Normal Message, 0
NGMsgText db Detect Message, 0
.code
start sub esp, 1024
mov ebx, esp
push 400h
push ebx
push 0h
call GetModuleFileNameA
lea eax, MyPath
push eax
push ebx
call lstrcmpA
test eax, eax
push 0h
lea eax, MsgCaption
push eax
jz _ok
lea eax, NGMsgText
push eax
push 0h
call MessageBoxA
invoke ExitProcess, NULL
_ok: lea eax, OKMsgText
push eax
push 0h
call MessageBoxA
invoke ExitProcess, NULL
end start

49. FFRI,Inc.
Disarmament #03
49

50. FFRI,Inc.
Future work
• Improving anti-‐‑‒sandbox detection
– Stalling code detection and evasion
• Improving sandbox quality
50

51. FFRI,Inc.
Conclusions
• This is proof of concept of automatically
disarmament system for armed malware
with anti-‐‑‒sandboxing with CPU emulator-‐‑‒
based sandbox
• We introduced anti-‐‑‒sandbox taxonomy
51
Know thy self, know thy enemy. A thousand
battles, a thousand victories.- Sun Tzu

52. FFRI,Inc.
Bibliography
• Analyzing Environment-Aware Malware, Lastline, 2014.05.25(viewed)
http://labs.lastline.com/analyzing-environment-aware-malware-a-look-at-zeus-trojan-variant-called-citadel-evading-traditional-sandboxes
• Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. 2011. Detecting environment-sensitive malware. In Proceedings of the
14th international conference on Recent Advances in Intrusion Detection (RAID'11). Springer-Verlag, Berlin, Heidelberg, 338-357.
• lemens Kolbitsch, Engin Kirda, and Christopher Kruegel. 2011. The power of procrastination: detection and mitigation of execution-stalling
malicious code. In Proceedings of the 18th ACM conference on Computer and communications security (CCS '11). ACM, New York, NY,
USA, 285-296.
• Min Gyung Kang, Heng Yin, Steve Hanna, Stephen McCamant, and Dawn Song. 2009. Emulating emulation-resistant malware. In
Proceedings of the 1st ACM workshop on Virtual machine security (VMSec '09). ACM, New York, NY, USA, 11-22.
• Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. Barecloud: bare-metal analysis-based evasive malware detection. In
Proceedings of the 23rd USENIX conference on Security Symposium (SEC'14). USENIX Association, Berkeley, CA, USA, 287-301.
• Ulrich Bayer, Imam Habibi, Davide Balzarotti, Engin Kirda, and Christopher Kruegel. 2009. A view on current malware behaviors. In
Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more (LEET'09).
USENIX Association, Berkeley, CA, USA, 8-8.
• Aurélien Wailly. Malware vs Virtualization The endless cat and mouse play, 2014.05.25(viewed)
http://aurelien.wail.ly/publications/hip-2013-slides.html
• Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. Testing CPU emulators. In Proceedings of the
eighteenth international symposium on Software testing and analysis (ISSTA '09). ACM, New York, NY, USA, 261-272.
• Hao Shi, Abdulla Alwabel and Jelena Mirkovic. 2014. Cardinal Pill Testing of System Virtual Machines. In Proceedings of the 23rd USENIX
conference on Security Symposium (SEC'14). USENIX Association, Berkeley, CA, USA,271-285.
• Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2010. Testing system virtual machines. In Proceedings
of the 19th international symposium on Software testing and analysis (ISSTA '10). ACM, New York, NY, USA, 171-182.
• IDA Boch PE operation mode
https://www.hex-rays.com/products/ida/support/idadoc/1332.shtml
52

53. FFRI,Inc.
53
Thank you !
FFRI, Inc.
http://www.ffri.jp