1

Nitty Gritty of Sandbox Evasion March 2014

Reimagined Security

2

EVOLUTION OF EVASION

HOW TO DETECT ADVANCED ATTACKS

EVASION METHODS

RECOMMENDATIONS

3

The Evolution of Evasion

4

Evasion is Working Around the Enterprise in 243 Days

3 Months

6 Months

9 Months

243 Days Median # of days attackers are present on

a victim network before detection.

Initial Breach of Companies Learned

They Were Breached from an External Entity

of Victims Had Up-To-Date Anti-Virus

Signatures

THREAT UNDETECTED REMEDIATION

Source: M-Trends Report

5

The Malware Lifespan: Two Hours

0

50000

100000

150000

200000

250000

300000

350000

0 1 2 3 4 5 6 7 2012 2013

Source: FireEye Labs

Mal

war

e Sa

mpl

es

Hours

6

Of Malware Only Exists Once

Of Malware Disappears After

One Hour

6

Malware in the Wild

7

Data Exfiltration

111011101101

Lateral Spread

Exploit an application or OS

vulnerability

Know Thy Adversary

Exploit detection critical

Every stage after the exploit can be hidden or obfuscated

Malware Download

Callback to Command &

Control

8

Sample Impact: High-Tech

Top APT Business Impact

Backdoor.APT. Gh0stRAT (40%)

Remote Access Tools (RAT) that lead to loss of intellectual property, trade secret, and sensitive internal communication. Backdoor.APT.

DarkComet (40%)

Top Crimeware Business Impact

Malware.Binary (67%)

Never-seen-before malware. Signature based protection defenseless.

Exploit.Kit.Neutrino (67%)

Infection with several types of malware that steal credentials or restrict access to computer and demands ransom.

FireEye PoV Customers Compromised Had APT

18 100% 28%

1.46 8.66

41486.9

43022.5

86.92

3011.14

Web Exploit

Malware Download

Unique Malware

Unique Callback

Impacted Hosts

198.9

12.9

2708.9

2629.8

Max Average (Per Week)

9

File-Based Sandbox To the Rescue? • Average Response time for Human Analysts

– 30 – 45 minutes – Not scalable

• Response time for File Based Sandbox – Normally couple of minutes – Scalable with machines

• Problem: File based sandboxes not effective in detecting advanced malware.

– Designed as research tool, long way to go for prime time – Most of the File Based Sandboxes are not hardened for advanced malware analysis

10

What is Required? Automated Analysis System with Advanced Correlation With: • Static analysis • Network • Behavior

11

How to Detect Advanced Attacks

12

Detect the Exploit At the Point of Attack In advanced attacks like Operation Aurora, the exploit is the key that unlocks the whole attack…

3

JavaScript Exploit Code on a Web Page

Encoded Executable

Previously Unknown C&C Servers

Payload not visible without understanding the Exploit

C&C Servers not visible without analysing the payload

1 2

decodes reveals

13

Factor#1: What Gets Analyzed

Today’s attacks use a broad range of content types

DLL EXE

Web-based Exploits

Weaponized Documents

Active Code

14

Factor #2: What’s in the Box

Each type of content needs a an application to react with…

Web Page

JavaScript

Java Applet

Word Doc

Excel Sheet

PowerPoint

PDF Document

Executable

DLL

Browser

Operating System

PDF Reader

Java JRE

Office

15

Factor #3: The Hypervisor

• Today… – All advanced threat detection solutions use some form of

virtualisation (VM) technology – Most are based on commercial (e.g VMWare) or open source

hypervisors (e.g Xen and Oracle VirtualBox) – These hypervisors were not designed for security analysis

• But… – Advanced malware is often ‘VM aware’ – It will actively seek out markers of common hypervisors when

deciding whether or how to execute

16

Factor #4: How You Monitor Virtual Execution

• Delta vs runtime analysis • Delta analysis is easy to implement, but has some serious

limitations: – It is blind to operations that run in memory – It will only report changes that are persistent at the end of analysis – It cannot react to evasive operations (like malware going to sleep for 10

minutes)

• Runtime analysis does not share these limitations because it observes execution in real time from inside the sandbox

17

Factor #5: Where to Put the Sandbox

• The cloud model requires that content be sent out of the organisation for analysis:

– Not much of an issue for executables – Lose context: A huge issue when it comes to documents

• Cloud services are always multi-tenanted and potentially hackable • Some advanced malware is location-aware, and will only execute inside

the target network • What if a false positive ends up putting your schematics, business plans,

roadmap, customer information or other sensitive file in the cloud?

18

Evasion Methods

19

Four Sandbox Evasion Methods

VMware-specific

Environment-specific

Configuration-specific

Human Interaction

20

Evasion Via Human Interaction

Approach How It Works

Mouse clicks • UpClicker Code watches for a left-click on the mouse—more specifically, an up-click

• Another APT-related malware file called BaneChant, activates only after three mouse clicks

Dialog boxes • Displaying a dialog box that requires the user to respond. • Use MessageBoxEx API functions of Windows to create

dialog boxes in EXE and DLL files. The malware activates only after the user clicks a button.

21

Example of Human Interaction Evasion

Code sample highlighting the action for a mouse click up

22

Evasion Via Configuration Specific Methods Approach How It Works

Sleep Calls Wait out the sandbox.

Time Trigger Malware executes only after a given date and time.

Hiding Process Malware block calls to the operating system to hide malicious behavior.

Malicious Downloader

Many file-based sandboxes are configured with no connection to the Internet and a malicious downloader makes an HTTP request but fails to download the malware.

Executable Name Many sandboxes assign a predefined name to files during execution. Attackers can avoid detection by having their code determine whether it is running under one of these names and terminate.

Volume Information Malware can detect the presence of many sandboxes by checking whether the volume serial number of the machine it is running on matches that of widely used VMs.

Execute After Reboot Deploying malware that does nothing overtly suspicious until after a reboot

23

Extended Sleep Calls

Trojan Nap code calling the SleepEx method

24

Time Trigger Malware

A snippet of Hastati code, highlighting a call to the GetLocalTime() method to determine the current time

25

Malicious Downloader

Malicious JavaScript code making HTTP request to high-risk URL

26

Hiding Processes

Deregister from the PsSetCreateProcessNotifyRoutine.

27

Evasion Via Environment Detection Methods Approach How It Works

Correct Version Check

Many malicious files are set to execute only in certain versions of applications or operating systems which can be absent in sandboxes.

Embedded iFrames Using innocuous files to get past defenses and download a malicious payload. A common approach is hiding iframe HTML elements in an otherwise non-executable file, such as a GIF picture or Acrobat Flash.

DLL Loader Requiring a specific, non-traditional loader to execute the DLL.

28

Environment Specific Evasion

Malware Performing Application Version Checks

29

Environment Specific Checks

Malicious iframe tag in a GIF file

30

Evasion Via VMWare Detection Methods Approach How It Works

VM System Service List Check

Malware checks for services unique to VMware, such as vmicheatbeat, vmci, vmdebug, vmmouse, vmscis, VMTools, vmware, vmx86, vmhgfs, and vmxnet

Checking for Unique VMWare Files

Looking for VMWare files specific to that platform.

Looking for VM comms port

Detecting the VMX port that VMware uses to communicate with its virtual machines.

31

Checking for VMWare

Malware using the function RegOpenKeyExA() to check for VMware tools

32

Checking for VMWare

Malware using GetFileAttributeA( ) to determine the presence of VMware mouse driver

33

Conclusions and Recommendations

34

Sandboxes: Conclusions

• File based sandboxes not effective in detecting advanced malware.

• Advanced attacks are stateful, understanding the context of the attack via multi-flow analysis are needed to fill the gap

• Multi-flow and multi-vector correlation between set of events is required to capture the behavior of the advanced threats.

• Virtual Execution Environment must be hardened and obfuscated for advanced evasions

– Many old malware like Khelios, PushDo and Poison Ivy have resurrected with sandbox evasions – A never ending battle

35

A Buyer’s Guide: Questions to Ask 1. What types of content get submitted for virtual/sandbox analysis? Do these

types give full coverage of the threat vectors (web and JavaScript-based exploits in particular)

2. What operating systems, applications and plug-ins (and what range of versions) are available in the sandbox to react with your content?

3. How is execution monitored? Is it simply by comparing a snapshot of the VM before and after execution?

4. What type of hypervisor is used? How would it resist VM aware malware? 5. Do you have any issue with your business plans, patent applications,

financials, customer details and business decisions being submitted to a cloud service?

6. How much time do you expect to spend tuning and administering the solution?

36

About FireEye

37

FireEye’s Technology: State of the Art Detection CORRELATE ANALYZE

( 5 0 0 , 0 0 0 O B J E C T S / H O U R )

Within VMs Across VMs

Cross-enterprise

Network

Email

Mobile

Files

Exploit

Callback

Malware Download

Lateral Transfer

Exfiltration

DETONATE

38

FireEye Product Portfolio

SEG IPS SWG

IPS

MDM Host

Anti-virus

Host Anti-virus

MVX

Threat Analytics Platform

Mobile Threat Prevention Email Threat

Prevention

Dynamic Threat Intelligence

Network Threat

Prevention

Content Threat

Prevention

Mobile Threat Prevention

Endpoint Threat

Prevention

Email Threat Prevention

39

Reimagined Security Reimagined Security

Thank You