Published on February 24, 2014
Thinking Outside the[Sand]box Kyle Adams - Juniper Networks This presentation is for educational purposes only
Introduction Chief Software Architect for Junos Web App Secure “Junos Web App Secure is a security deception technology designed to lace web applications with honeypots on-the-fly” More recently, leading efforts in malware research. Can’t share exactly why, but I can share some interesting ideas that have surfaced as a result.
Primary Goal Inoculate your machine from infection by specific classes of malware
Background • Malware Analysis Background Malware Collection Techniques o Malware Analysis Techniques o Signature Development o • Malware Authoring ROI o o • o Malware ROI Optimizing for Success Hypothetical Example Evasion o o Distribution Evasion Sandbox Evasion
Background / Malware Collection How do analysts get malware samples? • • • • • • Web Crawlers Torrents Usenet Malware Repositories Email Droppers
Background / Malware Analysis How do malware analysts inspect malware? • • • Static File Analysis Virtual Machine Sandboxing Code Emulation Sandboxing
Background / Signatures How do malware signatures get created? 1. Get a sample 2. Analyze it for unique behaviors - Generate heuristic behavior signature 3. Analyze it for unique data patterns Generate file data signature 4. Distribute new signatures to customers 5. Remove old unnecessary signatures
Background / Malware ROI Uninterrupted Lifecycle: Research Development Testing Distribution Grow Infection Base The infection base grows indefinitely. The more machines infected, the more return the attacker gets for their initial investment. In other words… Time = Money
Background / Malware ROI Interrupted Lifecycle: Research Development Testing Distribution Grow Infection Base Signature Published Sample Detected Sample Collected The infection base grows until a signature is published. It then rapidly declines in growth rate and eventually becomes negligible. The more machines infected, the more return the attacker gets for their initial investment. So… Time to DETECTION = Money
Background / Optimizing For Success Hypothetical Example: Bob spends 20 hours researching his target environment. Another 20 hours writing some ransomware and testing it. Finally, Bob pays someone to distribute his malware for 50 cents per infection, with a distribution rate of 200 clients per hour. Bob’s ransom is $300 and 10% of his victims will chose to pay. So for every hour Bob’s malware is undetected, he makes: ((200 clients * .1) * $300) - (200 clients * $0.50) = $5,900 per hour Assume the infection rate remains constant for 72 hours, and minus Bob’s time at (~$50 an hour), Bob makes a total of $422,800.
Background / Optimizing For Success Hypothetical Example: Now assume his malware is detected and a signature is published, dropping the successful ransom collection rate to 1 client per hour. (hours_before_detection * ((200 clients * .1) * $300) - (200 clients * $0.50))) + (hours_after_detection * (((10 clients * .1) * $300) - (10 clients * $0.50)) Detection at 6 hours: Bob makes $52,870 Detection at 12 hours: Bob makes $88,500 Detection at 18 hours: Bob makes $120,130 Detection at 24 hours: Bob makes $153,760 So for each 6 hours Bob can avoid detection, he makes $30,000 vs. $1,770. Thats a lot of motivation!
Background / Distribution Evasion • • You can’t analyze something you can’t get. You can’t generate signatures if you can’t analyze So if you can avoid serving malware to analysis labs, you can avoid detection and signature distribution. Distribution Evasion Distribute malware only to a select set of targets, narrow enough to exclude analysis labs.
Background / Distribution Evasion Distribution Evasion Tactics: • • • • • • • • Don’t serve to search engines (Google, Yahoo, Bing, etc…) Don’t serve to known security lab IPs (Symantec, McAfee, etc…) Don’t serve to an environment you can’t infect (Missing Plugins, Unsupported OS, etc…) Randomly choose not to serve Serve only to specific countries/IP ranges Serve only to known browsers Serve only if referer is whitelisted Serve only once per IP
Background / Distribution Evasion Distribution Evasion Implementation: 3. Add server-side specificity and filtering:The iframe points to a server whose sole purpose is to exploit browsers and serve malware. In addition to picking the right exploit for the target client, it will also not serve malware if specific conditions are not met. • • • • • You’re not a search engine Your IP is not blacklisted, or is in a whitelist You’re using an exploitable OS and browser This is the first time you have loaded the iframe Drive by code has been injected into the domain of your referer Since the research lab doesn't know what conditions the distribution server requires, it is exceptionally difficult to trick it into serving the malware.
Background / Sandbox Evasion Sandbox Evasion Tactics: If any of the following are true, do not execute the malware payload: • • • • • • • Significant Clock Skew Debugger is attached Virtual Machine Detected No Internet Connection Unexploitable environment Sandbox Software Detected Sleep statements abort prematurely Sandboxes can only run for a fixed period of time per sample (usually 30-60 seconds), so the malware may try to run longer: • • Long sleep before payload execution Schedule payload execution for some time in the future
Background / Sandbox Evasion Sandbox evasion techniques can be grouped into several high level categories: • • • • • Specificity Triggers Detection Interruption Dialogs Any given malware sample may do zero or more of these.
Background / Sandbox Evasion Specificity: • • • • • • • Has internet connection Has correct software versions Has correct OS Has expected security policies Public IP is in correct geographical region Clock skew is minimal Account data is present (Gmail, AIM, Facebook, etc…)
Background / Sandbox Evasion Specificity: Requires Email Handing app like Outlook or ThunderBird. framework Requires Internet Connection Requires .NET Requires Win 95/98
Background / Sandbox Evasion Triggers: • • • • Sleep for several minutes Require multiple executions Wait for one or more reboots Wait for event o User opens .txt file o User launches browser o User switches to battery power o User updates windows o User installs software o User connects to WiFi o HID activity (Mouse, Keyboard, Webcam, Mic)
Background / Sandbox Evasion Triggers: Requires browser restart to trigger payload. Require a second execution.
Background / Sandbox Evasion Detection: • • • Debugger Hooks Virtual Machines o Registry Keys, Serial Numbers, MAC addresses o Processes, Services, Drivers, Open Ports o VM Specific ASM instructions Sandbox Software o Open Ports, Processes, Files
Background / Sandbox Evasion Detection: Themida: Legitimate Software Piracy Protection wrapper designed to detect VM’s and debuggers. Go figure, malware authors use it too. Debugger detection. And hey, they even explained how to turn off SoftIce (just in case you didn’t know how). No Printer?
Background / Sandbox Evasion Interruption: • • Analysis Framework Interruption: o Force Reboot or Logout o Enable Firewall / Whitelist C&C servers Screen Capture Interruption o Open dialogs minimized o Open other apps Maximized o Flashing components / Animation o Hidden MouseOver components
Background / Sandbox Evasion Interruption: Force a reboot. Screen Shot Evasion: The “Play” button flashes. We got lucky and took the screenshot at the right time.
Background / Sandbox Evasion Dialogs:
Background / Sandbox Evasion Simple Dialogs: What are they? • Fake Apps o Fake Installers o Fake Errors o • Why? o o o Prevent sandbox analysis Phish for information Legitimize it looks real, so its probably safe red flags (UAC, firewall notices, etc…)
Background / Sandbox Evasion Simple Dialogs: Legitimize UAC dialogs Require basic human input (click a button)
Background / Sandbox Evasion Advanced Dialogs: Require account details TOS acceptance Combination Lock Graphic based dialogs • • • •
Background / Sandbox Evasion Advanced Dialogs: Requires password. Presumably available with the download link. Captcha style dialog Fake dialog. This dialog looks similar to the default theme of XP, but is clearly not.
Deceptive Inoculation Bottom line, malware takes great care not to run in a sandbox environment. Lets all be sandboxes! (or at least pretend to be)
Deceptive Inoculation • Distribution Deception o • Prevent your personal computer from being sent malware in the first place (stop drive-by-downloads). Sandbox Deception o Prevent malware from executing a payload when launched on your personal computer.
Inoculation / Distribution Evasion Pretend you’re google bot: 1. Firefox: Install User-Agent-Switcher 2. Set User-Agent to: Googlebot-Image (Googlebot) Pretend none of your plugins are enabled: 1. Firefox: Go to Tools > Add Ons 2. For everything in the list, select “Ask To Activate” (Java, Adobe Acrobat, Flash, Silverlight, Office, PDF Reader, ...) Disable Referers: 1. Firefox: Go to about:config 2. Set “network.http.sendRefererHeader” to 0
Inoculation / Distribution Evasion Request Suspicious Content Twice: This doesn’t exist yet, but what if…. iframe: badsite.com I F R A M E embedded flash repeat: badsite.com IFRAME V A L I D A T O R Bad Server no embedded flash iframe: goodsite.com no embedded flash Good Server
Inoculation / Sandbox Evasion Permanent Debugger 1. Install a debugger 2. Hook every process automatically Spoof VMWare Artifacts: 1. Create stub exe called “VBoxService.exe” and leave it running on boot. Skew your clock 1. Change system time to be 1 year behind 2. Disable clock syncing
Inoculation / Sandbox Evasion Sandbox Emulation 1. Open ports (cuckoo: 2042, mongodb: 27017) 2. Configure as Cuckoo Guest: http://docs.cuckoosandbox.org/en/latest/installation/guest/ But make sure to cripple the agent! These changes may result in instability to the system, and would require some additional testing in a well used desktop environment. 1. Add a dll named “dbghelp.dll” to registry so it loads into every process 2. Temporarily Assign windows product ID of “76487-337-8429955-22614” (Assign on boot, revert on shutdown) Look into Anubis, JoeBox, CWSandBox, ThreatExpert, and Cuckoo. The
Conclusion Practicality: As it stands, these techniques require some complex administrative/programming tasks, and would need to be updated regularly. Ideally these types of techniques could be packaged into software that automatically updates and manages settings for you.
Conclusion Perceived Efficacy: With just these 5 strategies, we were able to prevent 20% of malware activity in the samples we analyzed. True Efficacy: Hard to say how effective it really is, because the samples this works on, are less likely to be identified as known malware. Fortunately, this means it will reduce malware infection for samples your AV is unlikely to detect with signatures.
More Information Contact Info: Email: firstname.lastname@example.org Twitter: kadams_sec LinkedIn: https://www.linkedin.com/in/adamsk Presentation Material: http://forums.juniper.net/t5/Security-Mobility-Now/bg-p/networkingnow References: http://www.fireeye.com/blog/technical/malware-research/2011/01/the-dead-giveaways-of-vm-awaremalware.html
Thinking Outside The Sandbox WAHM Small Business and Social Media blog offers website traffic insight into how to understand social media and use it to ...
Hello. Thanks for stopping by. Thinking Outside The Sandbox is a unique blog about the business side of blogging. We are a team of amazing bloggers from ...
Thinking Outside the Sandbox. ... “I’ve just found sand to be the most fulfilling thing in my life because I really carve from the heart,” says Dan.
Thinking Outside The Sandbox. 8,612 likes · 11 talking about this. Learn the business side of blogging. www.totsbusiness.com Always get notifications:...
Nontoxic spent foundry sand is gaining increased credibility as a construction material. Cost effectiveness and growing research demonstrating the value of ...
Hello. Thanks for stopping by. Thinking Outside The Sandbox: Family is a unique mom blog. We are a team of 22 amazing parents. Between us, we have 37 ...
Know Theatre uses humble cork for a magical realism effect. When Know Theatre chose to produce Militant Language: A Play with Sand by Sean Christopher ...
If you are looking for one adorable sweet treat, we have you covered! Use store bought cupcakes or your favourite recipe to make Simple Spring Cupcakes.