mmw anti sandbox_techniques
TRANSCRIPT
![Page 1: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/1.jpg)
![Page 2: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/2.jpg)
Anti-Sandbox Malware tricks
![Page 3: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/3.jpg)
Your speakers today
Nick Bilogorskiy@belogor
Director of Security Research
Shelendra SharmaProduct Marketing Director
![Page 4: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/4.jpg)
Agenda
o Introduction to Sandboxingo How Malware breaks sandboxeso Wrap-up and Q&A
Cyph
ort L
abs
T-sh
irt
![Page 5: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/5.jpg)
Threat Monitoring & Research team
________
24X7 monitoring for malware events
________
Assist customers with their Forensics and Incident Response
We enhance malware detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the security ecosystem
________
Contribute to and learn from malware KB
________
Best of 3rd Party threat data
![Page 6: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/6.jpg)
What is a sandbox
o Sandbox is a instrumented detonation environment, where malware can be run and observed, but will not cause harm to the actual system.
o Sandboxes are used for dynamic malware analysis and behavior based detection
o Sandboxing is a NECESSARY but NOT SUFFICIENT condition for effective behavior detection
![Page 7: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/7.jpg)
Norman Sandbox
Anubis
JoeBox
Sandbox History
2003
2006
2007
ThreatExpert2008
Cuckoo2010
![Page 8: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/8.jpg)
What is a sandbox
![Page 9: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/9.jpg)
Methods of Analysis in Sandboxes
o User hooks - a software component is installed within the guest OS and reports all user-based activity to the trace handler (keylogger).
o Kernel hooks – The kernel of the guest OS is modified to accommodate tracing requirements (rootkit).
o System emulation – A hardware emulator is modified to hook appropriate memory, disk IO functions and peripherals (etc.) and report activities
![Page 10: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/10.jpg)
Use of Sandboxes
1. Simplify malware research : show traces
2. Automated behavior based malware detection : add analytics
![Page 11: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/11.jpg)
Breaking Sandboxes
![Page 12: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/12.jpg)
Anti-Sandboxing
o 1 Detecting Virtualizationo 2 Detecting presence of a live user (Turing test)o 3 Detecting hooking or exploiting sandbox limitations
o Just like packers became effective to fight signature based AV,
evasion and armoring are bypassing rudimentary sandboxes
![Page 13: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/13.jpg)
How much malware can detect Virtual Machines
Source: Antiy Labs
![Page 14: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/14.jpg)
How much malware can detect Virtual Machines
Source: Qualys Labs
![Page 15: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/15.jpg)
o VMWare can be detected via Registry:
o Virtualbox can be detected via Registry:
HKLM\HARDWARE\Description\System "SystemBiosVersion"HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
Detect Virtualization via Registry check
![Page 16: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/16.jpg)
PAFISH - (Paranoid Fish) - github.com/a0rtega/pafish
![Page 17: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/17.jpg)
Poll question
How many of the 5 sandboxes I mentioned earlier (Cuckoo, GFI, JoeSandbox, Comodo, ThreatExpert) can be detected by PAFISH (Paranoid Fish)?
None1234All of them
![Page 18: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/18.jpg)
PAFISH detects all
![Page 19: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/19.jpg)
Detecting Virtualization
o Check if disk size is less than 50GB
Pafish code
![Page 20: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/20.jpg)
Detecting Virtualization
o Check if the disk is called “VBOX ”
Pafish code
![Page 21: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/21.jpg)
http://pastebin.com/u/waliedassar
![Page 22: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/22.jpg)
Detecting VMWare
o IO Virtualization, IN instruction
![Page 23: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/23.jpg)
Detecting Virtualization by Timing
![Page 24: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/24.jpg)
Redpill IDTR (Interrupt Descriptor Table Register)
![Page 25: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/25.jpg)
Detect Environment: MAC Address
o 00:05:69:xx:xx:xx VMwareo 00:0C:29:xx:xx:xx VMwareo 00:1C:14:xx:xx:xx VMwareo 00:50:56:xx:xx:xx VMwareo 00:15:5D:xx:xx:xx Hyper Vo 00:16:3e:xx:xx:xx Xen
Source: Paul Jung, Bypassing Sanboxes for fun
![Page 26: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/26.jpg)
Buy it – use a ready made anti-vm tool
![Page 27: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/27.jpg)
Detecting Virtualization: Problem
o Problem – a large portion of enterprise infrastructure is virtualized now, so it would limit the malware effectiveness if they avoid running on any virtual machine.
o Need to detect sandboxes, not the VMo Detect the presence/absense of the user.
![Page 28: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/28.jpg)
Detecting User
o CAPTCHA is a possible way
o Ask user to click the mouse
o Wait for a certain action of the user to execute (go to Facebook, login to the bank)
o Perform malicious activity upon reboot
![Page 29: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/29.jpg)
Sleep
o A popular strategy is to sleep or execute malicious code on certain dates
o Most Analysis systems are built with timeouts and have limits on how long they can wait, because they need to analyze many files.
o Because sleeps can be detected and stripped, execute various non-malicious code in lieu of sleep.
![Page 30: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/30.jpg)
Detecting hooks
![Page 31: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/31.jpg)
Ping Google
o Some sandboxes do not allow the malware to connect outside to the internet, so a simple way to detect a sandbox is just to verify internet connectivity
![Page 32: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/32.jpg)
Malware Example: Time Acceleration Detection
o Injector.akdd Trojan MD5: 3bbb59afdf9bda4ffdc644d9d51c53e7
Implements 3 checks for hooking:o GetTickCounto GetSystemTimeAsFileTimeo NtQuerySystemTime
o If LESS than 998ms pass during execution:
- Abort!
![Page 33: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/33.jpg)
Checking GetUserName
o Malware name: Ponmocup Trojano MD5: 27aa08d113034eae5565fe2e8813a01eo Uses GetUserName to check for these strings
o currentusero sandboxo honeyo vmwareo nepentheso snorto andyo roo
![Page 34: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/34.jpg)
Sazoora malware: Detecting the mouse
o If the sample can't detect mouse movement execution will be slowed down
![Page 35: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/35.jpg)
Sazoora malware: Timing attacks
o Sazoora only runs on 16, 17 or 18 of any month
Read more about Sazoora on our blog:https://www.cyphort.com/blog/sazoora-dissecting-bundle-evasion-stealth/
![Page 36: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/36.jpg)
SmartFortress FakeAV malware: Hard Disk Identifiers
o FakeAV SmartFortress Trojano MD5: a2d4e451f84b74185ecba8e728b65fe3
o Hard disk identifiers often give away the virtualization platform
o Checked with o SetupDiGetClassDivso SetupDiGetEnumDeviceInfoo SetupDiGetDeviceRegistryProperty
![Page 37: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/37.jpg)
SmartFortress FakeAV malware : Exotic Instruction Sets
• MMX is an Intel instruction set designedfor faster processing of graphical applications
• Occationally used by malware as randominstructions
• Usually not supported by malware emulators
![Page 38: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/38.jpg)
Recap: Types of Anti-sandboxing tricks
o Detecting virtualization : Not running in the VMo Sleepingo Delay loopso Detecting hooks (user level | kernel level )o GUI – prompting the user for actiono Running only on certain dateso Detects Sandbox by time accelerationo Killing analysis toolso Checking Browser History, Running Apps, AD Domain memberhip
![Page 39: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/39.jpg)
Poll question
Which of the anti-sandboxing techniques below do you think is the most popular among malware writers?
A - Detecting Virtual MachinesB - Delay loop executionC - A and B equallyD - SleepingE - Anti-hooking
![Page 40: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/40.jpg)
Popularity of different anti-sandbox techniques
Source: Cyphort Labs
![Page 41: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/41.jpg)
Non traditional File Formats
o Another way to circumvent Sandbox detection:Attack non-traditional platform: do not use a PE32 executable..o PDF, Excel, Wordo 64 bit Windows EXE malwareo Mac OSX malware
![Page 42: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/42.jpg)
Wrap up
o Harden the Sandbox against known evasion techniques
o Use Multiple types of Sandboxeso Use multiple techniques for malware
analysiso Evaluate sandboxing tools against
known evasion techniques
![Page 43: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/43.jpg)
Q and A
Previous MMW slides on
www.slideshare.net/Cyphort/
![Page 44: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/44.jpg)
Thank You!Twitter: @belogor
![Page 45: Mmw anti sandbox_techniques](https://reader030.vdocument.in/reader030/viewer/2022032620/55cc71a6bb61ebb3358b45e3/html5/thumbnails/45.jpg)