stealthy, hypervisor-based malware analysis
TRANSCRIPT
Tamas K Lengyel@tklengyel
Stealthy,
Hypervisor-based Malware Analysis
#whoami
Open source enthusiast
Maintainer of Xen, LibVMI and DRAKVUF
PhD from UConn: Malware Collection and Analysis via Hardware Virtualization
Agenda
Motivation
Anti-sandbox tricks
Using a hypervisor for monitoring
Mo problems!
Fixing the problems
Mo problems!
Conclusion
An early warning
This presentation will get technical
Dont be afraid of the assembly
Dont worry if some of it makes no sense
Sandboxes & honeypots
Lets just see what happens
Most of our tools for observing software at run-time are built with an assumption that misbehavior is accidentalDebuggers
Stealth
Debuggers were not designed to be stealthy
Debugged process can detect the debugger
Observer effect
Strings in MultiPlug
$:hash:procexp.exe$:hash:procmon.exe$:hash:processmonitor.exe$:hash:wireshark.exe$:hash:fiddler.exe$:hash:vmware.exe$:hash:vmware-authd.exe$:hash:windbg.exe$:hash:ollydbg.exe$:hash:winhex.exe$:hash:processhacker.exe$:hash:hiew32.exe$:hash:vboxtray.exe$:hash:vboxservice.exe$:hash:vmwaretray.exe$:hash:vmwareuser.exe
Some other popular strings
CheckRemoteDebuggerPresentIsDebuggerPresentVIRTUALBOXVBoxGuestAdditionsQEMUProd_VMware_Virtual_XenVMMMALTESTTEQUILABOOMBOOMVIRUSMALWARESANDBOXWinDbgFrameClass\\SAMPLE
https://github.com/Yara-Rules/rules/blob/master/antidebug_antivm.yar
AntiCuckoo
Detect & crash the Cuckoo processOuch..
Real malware would probably just falsify the results to not stand out..
https://github.com/David-Reguera-Garcia-Dreg/anticuckoo
..or not: HackedTeam
https://github.com/hackedteam/scout-win/blob/master/core-scout-win32/antivm.cpp
Improving Stealth #1
Move the monitoring component into the kernel
Windows doesnt like it if you just randomly hook stuff (PatchGuard)
What about rootkits?
Rootkit problem 2014
http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2014.pdf
Rootkit problem 2015
http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-aug-2015.pdf
Thats only about 0.36% of all malware observed by McAffee
Rootkit problem?
Based on these numbers rootkits may seem to be not that big of a deal
High cost of development may mean you don't use one unless you have to
Or are we just bad at detecting them?
Improving Stealth #2
Move the monitoring component into a hypervisor
Harder to detect
Greater visibility
Harder to develop
Emulation vs. virtualization
Emulation Pro: - Easier to monitor
Emulation Con: - Easy to detect - Easy to get it wrong - Unlikely in production environment
How to start the malware?
Our goal is to do everything without the need of an in-guest agent
No startup scripts, no client process
Straight up memory and CPU manipulation can get us what we need!
Done?
Nope
Malware can detect if its running in a virtualized environment
Hypervisors were not designed to be stealthy either
Pafish
https://github.com/a0rtega/pafish
CPUID hypervisor guest status
static inline int cpuid_hv_bit() {
int ecx;
__asm__ volatile("cpuid" \
: "=c"(ecx) \
: "a"(0x01));
return (ecx >> 31) & 0x1;
}
CPUID hypervisor guest status
cpuid = ['0x1:ecx=0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx']
The fix verified
60GB free disk space?
LVM copy-on-write allows us to quickly deploy lightweight duplicates
Analysis clones will only use extra space if they change files
And only as much space as they actually changed
The fix verified
Uptime check
int gensandbox_uptime() {/* < ~12 minutes */return GetTickCount() < 0xAFE74 ?TRUE : FALSE;}
Uptime check
Let your VM sit idle for a while, take memory snapshot
Start each analysis clone by loading this memory snapshot
Could also just return fake value
The fix verified
Memory size check
Who uses a machine with TAbort-