Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Stealthy, Hypervisor-based Malware Analysis


Published on

Slides for my presentation at DCC2016

Published in: Technology
  • You can try later this tool when the human interaction tricks are implemented :)
    Are you sure you want to  Yes  No
    Your message goes here

Stealthy, Hypervisor-based Malware Analysis

  1. 1. Tamas K Lengyel @tklengyel Stealthy, Hypervisor-based Malware Analysis
  2. 2. #whoami Open source enthusiast Maintainer of Xen, LibVMI and DRAKVUF PhD from UConn: Malware Collection and Analysis via Hardware Virtualization
  3. 3. Agenda 1. Motivation 2. Anti-sandbox tricks 3. Using a hypervisor for monitoring 4. Mo’ problems! 5. Fixing the problems 6. Mo’ problems! 7. Conclusion
  4. 4. An early warning This presentation will get technical Don’t be afraid of the assembly Don’t worry if some of it makes no sense
  5. 5. Sandboxes & honeypots “Let’s just see what happens” Most of our tools for observing software at run-time are built with an assumption that misbehavior is accidental - Debuggers
  6. 6. Stealth Debuggers were not designed to be stealthy Debugged process can detect the debugger Observer effect
  7. 7. Strings in MultiPlug $:hash:procexp.exe $:hash:procmon.exe $:hash:processmonitor.exe $:hash:wireshark.exe $:hash:fiddler.exe $:hash:vmware.exe $:hash:vmware-authd.exe $:hash:windbg.exe $:hash:ollydbg.exe $:hash:winhex.exe $:hash:processhacker.exe $:hash:hiew32.exe $:hash:vboxtray.exe $:hash:vboxservice.exe $:hash:vmwaretray.exe $:hash:vmwareuser.exe
  8. 8. Some other popular strings CheckRemoteDebuggerPresent IsDebuggerPresent VIRTUALBOX VBoxGuestAdditions QEMU Prod_VMware_Virtual_ XenVMM MALTEST TEQUILABOOMBOOM VIRUS MALWARE SANDBOX WinDbgFrameClass SAMPLE
  9. 9. AntiCuckoo Detect & crash the Cuckoo process - Ouch.. Real malware would probably just falsify the results to not stand out..
  10. 10. ..or not: HackedTeam
  11. 11. Improving Stealth #1 Move the monitoring component into the kernel Windows doesn’t like it if you just randomly hook stuff (PatchGuard) What about rootkits?
  12. 12. Rootkit problem 2014
  13. 13. Rootkit problem 2015 That’s only about 0.36% of all malware observed by McAffee
  14. 14. Rootkit problem? Based on these numbers rootkits may seem to be not that big of a deal High cost of development may mean you don't use one unless you have to Or are we just bad at detecting them?
  15. 15. Improving Stealth #2 Move the monitoring component into a hypervisor Harder to detect Greater visibility Harder to develop
  16. 16. Emulation vs. virtualization Emulation Pro: - Easier to monitor Emulation Con: - Easy to detect - Easy to get it wrong - Unlikely in production environment
  17. 17. How to start the malware? Our goal is to do everything without the need of an in-guest agent No startup scripts, no client process Straight up memory and CPU manipulation can get us what we need!
  18. 18. Done? Nope Malware can detect if it’s running in a virtualized environment Hypervisors were not designed to be stealthy either
  19. 19. Pafish
  20. 20. CPUID hypervisor guest status static inline int cpuid_hv_bit() { int ecx; __asm__ volatile("cpuid" : "=c"(ecx) : "a"(0x01)); return (ecx >> 31) & 0x1; }
  21. 21. CPUID hypervisor guest status cpuid = ['0x1:ecx=0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx']
  22. 22. The fix verified
  23. 23. 60GB free disk space? LVM copy-on-write allows us to quickly deploy lightweight duplicates Analysis clones will only use extra space if they change files And only as much space as they actually changed
  24. 24. The fix verified
  25. 25. Uptime check int gensandbox_uptime() { /* < ~12 minutes */ return GetTickCount() < 0xAFE74 ? TRUE : FALSE; }
  26. 26. Uptime check Let your VM sit idle for a while, take memory snapshot Start each analysis clone by loading this memory snapshot Could also just return fake value
  27. 27. The fix verified
  28. 28. Memory size check Who uses a machine with <1Gb RAM? We can increase sandbox memory size but that limits how many we can run Xen memory sharing allows CoW!
  29. 29. CoW memory
  30. 30. CoW memory over time
  31. 31. Xen memory-sharing status It works but it’s very experimental Original developer no longer around May not work with other experimental Xen features
  32. 32. CPU count check
  33. 33. Multi-vCPU tracing Particularly challenging due to how external monitoring is implemented Easy to end up in a race-condition with concurrently active CPUs
  34. 34. EPT-lookup
  35. 35. EPT-lookup All vCPUs share a single EPT Standard way hypervisors use EPT
  36. 36. Race with multi-vCPU EPT RACE
  37. 37. Some ways around We can pause CPUs We can emulate instructions ...or!
  38. 38. Xen altp2m
  39. 39. Xen altp2m
  40. 40. The fix verified
  41. 41. I/O activity It’s all emulated so we could fake it We could even reconstruct the location of buttons / pop-ups from memory! Click on “Install” buttons? - Doesn’t seem to make much difference -
  42. 42. Other CPUID leaks hypervisor_id = "XenVMMXenVMM" (0x40000000/ebx-edx) hypervisor version (0x40000001/eax): version = 4.6 hypervisor features (0x40000002): number of hypercall-transfer pages = 0x1 (1) MSR base address = 0x40000000 MMU_PT_UPDATE_PRESERVE_AD supported = false vtsc = false host tsc is safe = true boot cpu has RDTSCP = true tsc mode = 0x0 (0) tsc frequency (kHz) = 3392364 incarnation = 0x1 (1)
  43. 43. PCI leaks 00:02.0 VGA compatible controller: Cirrus Logic GD 5446 (prog-if 00 [VGA controller]) Subsystem: Red Hat, Inc QEMU Virtual Machine Physical Slot: 2 Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 0 Region 0: Memory at f0000000 (32-bit, prefetchable) [size=32M] Region 1: Memory at f2072000 (32-bit, non-prefetchable) [size=4K] Expansion ROM at f2060000 [disabled] [size=64K] Kernel driver in use: cirrus
  44. 44. Disk vendor leaks description: ATA Disk product: QEMU HARDDISK physical id: 0.0.0 bus info: scsi@0:0.0.0 logical name: /dev/sda version: 1 serial: QM00001 size: 93GiB (100GB) capabilities: partitioned partitioned:dos configuration: ansiversion=5 logicalsectorsize=512 sectorsize=512 signature=a6b04d21
  45. 45. Some more things to look for Screen resolution File modification timestamps Username Malware executable file-name GeoIP
  46. 46. Telling time
  47. 47. Telling time RDTSC is trappable to the hypervisor - We could actually fake the value it returns Not the only way to measure time - HPET, NTP, covert channels..
  48. 48. Discussion Often-made argument: Virtualization is so wide-spread, detection of it may not be indicative of an analysis environment It's true.. to an extent!
  49. 49. Does malware really care? Most malware authors are lazy Why go all this way if you could just.. sleep! Stalling malware
  50. 50. Stalling malware Halting problem We can hook Sleep() We can randomize execution time
  51. 51. Advanced Stalling malware Spam system calls that normally finish fast - NtCreateSemaphore Monitoring incurs overhead on each call so this will time out the sandbox
  52. 52. Advanced Stalling malware How to detect syscall spam? We need some baseline
  53. 53. 100k malware syscalls
  54. 54. Advanced Stalling malware Average # of calls of NtCreateSemaphore - 10 API spamming malware? - 1 - Calls it 17453 times in 60s
  55. 55. Discussion There is no absolute stealth Making stealthier tools require malware to run more checks But only if our analysis tools span the entire spectrum
  56. 56. Conclusion No end in sight Still many low-hanging fruits for malware to detect A lot more tools available We need to use them all or malware becomes resilient faster
  57. 57. Thanks! Tamas K Lengyel @tklengyel LibVMI DRAKVUF
  58. 58. References