Tamas K Lengyel@tklengyel

Stealthy,
Hypervisor-based Malware Analysis

#whoami

Open source enthusiast

Maintainer of Xen, LibVMI and DRAKVUF

PhD from UConn: Malware Collection and Analysis via Hardware Virtualization

Agenda

Motivation

Anti-sandbox tricks

Using a hypervisor for monitoring

Mo problems!

Fixing the problems

Mo problems!

Conclusion

An early warning

This presentation will get technical

Dont be afraid of the assembly

Dont worry if some of it makes no sense

Sandboxes & honeypots

Lets just see what happens

Most of our tools for observing software at run-time are built with an assumption that misbehavior is accidentalDebuggers

Stealth

Debuggers were not designed to be stealthy

Debugged process can detect the debugger

Observer effect

Strings in MultiPlug

$:hash:procexp.exe$:hash:procmon.exe$:hash:processmonitor.exe$:hash:wireshark.exe$:hash:fiddler.exe$:hash:vmware.exe$:hash:vmware-authd.exe$:hash:windbg.exe$:hash:ollydbg.exe$:hash:winhex.exe$:hash:processhacker.exe$:hash:hiew32.exe$:hash:vboxtray.exe$:hash:vboxservice.exe$:hash:vmwaretray.exe$:hash:vmwareuser.exe

Some other popular strings

CheckRemoteDebuggerPresentIsDebuggerPresentVIRTUALBOXVBoxGuestAdditionsQEMUProd_VMware_Virtual_XenVMMMALTESTTEQUILABOOMBOOMVIRUSMALWARESANDBOXWinDbgFrameClass\\SAMPLE

https://github.com/Yara-Rules/rules/blob/master/antidebug_antivm.yar

AntiCuckoo

Detect & crash the Cuckoo processOuch..

Real malware would probably just falsify the results to not stand out..

https://github.com/David-Reguera-Garcia-Dreg/anticuckoo

..or not: HackedTeam

https://github.com/hackedteam/scout-win/blob/master/core-scout-win32/antivm.cpp

Improving Stealth #1

Move the monitoring component into the kernel

Windows doesnt like it if you just randomly hook stuff (PatchGuard)

What about rootkits?

Rootkit problem 2014

http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2014.pdf

Rootkit problem 2015

http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-aug-2015.pdf

Thats only about 0.36% of all malware observed by McAffee

Rootkit problem?

Based on these numbers rootkits may seem to be not that big of a deal

High cost of development may mean you don't use one unless you have to

Or are we just bad at detecting them?

Improving Stealth #2

Move the monitoring component into a hypervisor

Harder to detect

Greater visibility

Harder to develop

Emulation vs. virtualization

Emulation Pro: - Easier to monitor

Emulation Con: - Easy to detect - Easy to get it wrong - Unlikely in production environment

How to start the malware?

Our goal is to do everything without the need of an in-guest agent

No startup scripts, no client process

Straight up memory and CPU manipulation can get us what we need!

Done?

Nope

Malware can detect if its running in a virtualized environment

Hypervisors were not designed to be stealthy either

Pafish

https://github.com/a0rtega/pafish

CPUID hypervisor guest status

static inline int cpuid_hv_bit() {
int ecx;
__asm__ volatile("cpuid" \
: "=c"(ecx) \
: "a"(0x01));
return (ecx >> 31) & 0x1;
}

CPUID hypervisor guest status

cpuid = ['0x1:ecx=0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx']

The fix verified

60GB free disk space?

LVM copy-on-write allows us to quickly deploy lightweight duplicates

Analysis clones will only use extra space if they change files

And only as much space as they actually changed

The fix verified

Uptime check

int gensandbox_uptime() {/* < ~12 minutes */return GetTickCount() < 0xAFE74 ?TRUE : FALSE;}

Uptime check

Let your VM sit idle for a while, take memory snapshot

Start each analysis clone by loading this memory snapshot

Could also just return fake value

The fix verified

Memory size check

Who uses a machine with TAbort-