nitty gritty of sandbox evasion - usuaria.org.ar · a buyer’s guide: questions to ask . 1. what...
TRANSCRIPT
1
Nitty Gritty of Sandbox Evasion March 2014
Reimagined Security
2
EVOLUTION OF EVASION
HOW TO DETECT ADVANCED ATTACKS
EVASION METHODS
RECOMMENDATIONS
3
The Evolution of Evasion
4
Evasion is Working Around the Enterprise in 243 Days
3 Months
6 Months
9 Months
243 Days Median # of days attackers are present on
a victim network before detection.
Initial Breach of Companies Learned
They Were Breached from an External Entity
of Victims Had Up-To-Date Anti-Virus
Signatures
THREAT UNDETECTED REMEDIATION
Source: M-Trends Report
5
The Malware Lifespan: Two Hours
0
50000
100000
150000
200000
250000
300000
350000
0 1 2 3 4 5 6 7 2012 2013
Source: FireEye Labs
Mal
war
e Sa
mpl
es
Hours
6
Of Malware Only Exists Once
Of Malware Disappears After
One Hour
6
Malware in the Wild
7
Data Exfiltration
111011101101
Lateral Spread
Exploit an application or OS
vulnerability
Know Thy Adversary
Exploit detection critical
Every stage after the exploit can be hidden or obfuscated
Malware Download
Callback to Command &
Control
8
Sample Impact: High-Tech
Top APT Business Impact
Backdoor.APT. Gh0stRAT (40%)
Remote Access Tools (RAT) that lead to loss of intellectual property, trade secret, and sensitive internal communication. Backdoor.APT.
DarkComet (40%)
Top Crimeware Business Impact
Malware.Binary (67%)
Never-seen-before malware. Signature based protection defenseless.
Exploit.Kit.Neutrino (67%)
Infection with several types of malware that steal credentials or restrict access to computer and demands ransom.
FireEye PoV Customers Compromised Had APT
18 100% 28%
1.46 8.66
41486.9
43022.5
86.92
3011.14
Web Exploit
Malware Download
Unique Malware
Unique Callback
Impacted Hosts
198.9
12.9
2708.9
2629.8
Max Average (Per Week)
9
File-Based Sandbox To the Rescue? • Average Response time for Human Analysts
– 30 – 45 minutes – Not scalable
• Response time for File Based Sandbox – Normally couple of minutes – Scalable with machines
• Problem: File based sandboxes not effective in detecting advanced malware.
– Designed as research tool, long way to go for prime time – Most of the File Based Sandboxes are not hardened for advanced malware analysis
10
What is Required? Automated Analysis System with Advanced Correlation With: • Static analysis • Network • Behavior
11
How to Detect Advanced Attacks
12
Detect the Exploit At the Point of Attack In advanced attacks like Operation Aurora, the exploit is the key that unlocks the whole attack…
3
JavaScript Exploit Code on a Web Page
Encoded Executable
Previously Unknown C&C Servers
Payload not visible without understanding the Exploit
C&C Servers not visible without analysing the payload
1 2
decodes reveals
13
Factor#1: What Gets Analyzed
Today’s attacks use a broad range of content types
DLL EXE
Web-based Exploits
Weaponized Documents
Active Code
14
Factor #2: What’s in the Box
Each type of content needs a an application to react with…
Web Page
JavaScript
Java Applet
Word Doc
Excel Sheet
PowerPoint
PDF Document
Executable
DLL
Browser
Operating System
PDF Reader
Java JRE
Office
15
Factor #3: The Hypervisor
• Today… – All advanced threat detection solutions use some form of
virtualisation (VM) technology – Most are based on commercial (e.g VMWare) or open source
hypervisors (e.g Xen and Oracle VirtualBox) – These hypervisors were not designed for security analysis
• But… – Advanced malware is often ‘VM aware’ – It will actively seek out markers of common hypervisors when
deciding whether or how to execute
16
Factor #4: How You Monitor Virtual Execution
• Delta vs runtime analysis • Delta analysis is easy to implement, but has some serious
limitations: – It is blind to operations that run in memory – It will only report changes that are persistent at the end of analysis – It cannot react to evasive operations (like malware going to sleep for 10
minutes)
• Runtime analysis does not share these limitations because it observes execution in real time from inside the sandbox
17
Factor #5: Where to Put the Sandbox
• The cloud model requires that content be sent out of the organisation for analysis:
– Not much of an issue for executables – Lose context: A huge issue when it comes to documents
• Cloud services are always multi-tenanted and potentially hackable • Some advanced malware is location-aware, and will only execute inside
the target network • What if a false positive ends up putting your schematics, business plans,
roadmap, customer information or other sensitive file in the cloud?
18
Evasion Methods
19
Four Sandbox Evasion Methods
VMware-specific
Environment-specific
Configuration-specific
Human Interaction
20
Evasion Via Human Interaction
Approach How It Works
Mouse clicks • UpClicker Code watches for a left-click on the mouse—more specifically, an up-click
• Another APT-related malware file called BaneChant, activates only after three mouse clicks
Dialog boxes • Displaying a dialog box that requires the user to respond. • Use MessageBoxEx API functions of Windows to create
dialog boxes in EXE and DLL files. The malware activates only after the user clicks a button.
21
Example of Human Interaction Evasion
Code sample highlighting the action for a mouse click up
22
Evasion Via Configuration Specific Methods Approach How It Works
Sleep Calls Wait out the sandbox.
Time Trigger Malware executes only after a given date and time.
Hiding Process Malware block calls to the operating system to hide malicious behavior.
Malicious Downloader
Many file-based sandboxes are configured with no connection to the Internet and a malicious downloader makes an HTTP request but fails to download the malware.
Executable Name Many sandboxes assign a predefined name to files during execution. Attackers can avoid detection by having their code determine whether it is running under one of these names and terminate.
Volume Information Malware can detect the presence of many sandboxes by checking whether the volume serial number of the machine it is running on matches that of widely used VMs.
Execute After Reboot Deploying malware that does nothing overtly suspicious until after a reboot
23
Extended Sleep Calls
Trojan Nap code calling the SleepEx method
24
Time Trigger Malware
A snippet of Hastati code, highlighting a call to the GetLocalTime() method to determine the current time
25
Malicious Downloader
Malicious JavaScript code making HTTP request to high-risk URL
26
Hiding Processes
Deregister from the PsSetCreateProcessNotifyRoutine.
27
Evasion Via Environment Detection Methods Approach How It Works
Correct Version Check
Many malicious files are set to execute only in certain versions of applications or operating systems which can be absent in sandboxes.
Embedded iFrames Using innocuous files to get past defenses and download a malicious payload. A common approach is hiding iframe HTML elements in an otherwise non-executable file, such as a GIF picture or Acrobat Flash.
DLL Loader Requiring a specific, non-traditional loader to execute the DLL.
28
Environment Specific Evasion
Malware Performing Application Version Checks
29
Environment Specific Checks
Malicious iframe tag in a GIF file
30
Evasion Via VMWare Detection Methods Approach How It Works
VM System Service List Check
Malware checks for services unique to VMware, such as vmicheatbeat, vmci, vmdebug, vmmouse, vmscis, VMTools, vmware, vmx86, vmhgfs, and vmxnet
Checking for Unique VMWare Files
Looking for VMWare files specific to that platform.
Looking for VM comms port
Detecting the VMX port that VMware uses to communicate with its virtual machines.
31
Checking for VMWare
Malware using the function RegOpenKeyExA() to check for VMware tools
32
Checking for VMWare
Malware using GetFileAttributeA( ) to determine the presence of VMware mouse driver
33
Conclusions and Recommendations
34
Sandboxes: Conclusions
• File based sandboxes not effective in detecting advanced malware.
• Advanced attacks are stateful, understanding the context of the attack via multi-flow analysis are needed to fill the gap
• Multi-flow and multi-vector correlation between set of events is required to capture the behavior of the advanced threats.
• Virtual Execution Environment must be hardened and obfuscated for advanced evasions
– Many old malware like Khelios, PushDo and Poison Ivy have resurrected with sandbox evasions – A never ending battle
35
A Buyer’s Guide: Questions to Ask 1. What types of content get submitted for virtual/sandbox analysis? Do these
types give full coverage of the threat vectors (web and JavaScript-based exploits in particular)
2. What operating systems, applications and plug-ins (and what range of versions) are available in the sandbox to react with your content?
3. How is execution monitored? Is it simply by comparing a snapshot of the VM before and after execution?
4. What type of hypervisor is used? How would it resist VM aware malware? 5. Do you have any issue with your business plans, patent applications,
financials, customer details and business decisions being submitted to a cloud service?
6. How much time do you expect to spend tuning and administering the solution?
36
About FireEye
37
FireEye’s Technology: State of the Art Detection CORRELATE ANALYZE
( 5 0 0 , 0 0 0 O B J E C T S / H O U R )
Within VMs Across VMs
Cross-enterprise
Network
Mobile
Files
Exploit
Callback
Malware Download
Lateral Transfer
Exfiltration
DETONATE
38
FireEye Product Portfolio
SEG IPS SWG
IPS
MDM Host
Anti-virus
Host Anti-virus
MVX
Threat Analytics Platform
Mobile Threat Prevention Email Threat
Prevention
Dynamic Threat Intelligence
Network Threat
Prevention
Content Threat
Prevention
Mobile Threat Prevention
Endpoint Threat
Prevention
Email Threat Prevention
39
Reimagined Security Reimagined Security
Thank You