SlideShare ist ein Scribd-Unternehmen logo
1 von 35
Downloaden Sie, um offline zu lesen
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1
Number of Malware Samples Per Day as per
Kaspersky Labs.
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2
Why File Based SandBox..
• AV researchers need to be able to keep up
• Average Response time for Human Analysts
– 30 – 45 minutes Research.
– Not scalable
• Response time for File Based SandBox
– Normally couple of minutes
– Scalable with machines
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3
Sand Box (VPC,.)
Kernel Trap
BehaviorInput Flow
Application Trap
SB Monitor
Design Architecture for a File Based Sandbox
SB Trap
SB - CPU
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4
Hot Knives through Butter:
Bypassing File Based
Sandboxes
Abhishek Singh , Zheng Bu
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5
Evasion techniques
• New Modern Trend: Human Interaction ..
– Trojan UpClicker (wrapper around Poison Ivy,)
– APT BaneChant
• Configuration
– Trojan Nap aka Khelios back from dead
• Classic Detection
– Checking for VM related processes.
– Yes malware are still using them.
• Environment Specific Evasions.
– Version Checks, Embedded Iframe
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6
Human Interaction ..
• Hooking to a Mouse .. SetWindowsHookEx()
• Message Boxes ..
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7
Assembly code for Mouse Hook Trojan UpClicker
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8
Mouse Clicks
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9
Human Interaction…
Message Box in a JavaScript
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10
Configuration Specific Evasions
• Employ the configuration of a sandbox.
Limited time to execute,
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11
Configuration Specific Evasion
• Extended Sleep calls …10 minute timeout here
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12
Configuration Specific Evasion .. Sleep calls
Java Script
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13
Configuration Specific Checks
• Time Trigger Malware.. Trojan Hastati
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14
Configuration Specific Checks
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15
Configuration Specific Evasion..Hiding
Processes
• Deregister from the PsSetCreateProcessNotifyRoutine.
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16
Hiding Processes
• Deregister from the PsSetCreateProcessNotifyRoutine.
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17
Classic Detection Techniques for Bypassing File
based SandBoxes.
• Enumerating List of services.
• Checking for Product ID keys.
• Checking for IO Port .
• Checking for processes and DLL specific to the File
based Sandboxes.
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18
Processes Specific to File Based Sandboxes
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19
Classic Techniques…. Yes Malwares are still using it.
Enumerating Processes and Services of a Virtualized
environment.
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20
Enumerating processes and Services.
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21
Do not Sleep Yet .. We have a Demo
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22
Demo
• Trojan UpClicker….
Gets Activated only when left mouse button is clicked up.
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23
Demo
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 24
Environment Specific Evasion
File Based Sandbox provides specific environment for
execution of a sample.
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 25
Environment Specific Evasion: Version Checks
• Application Version Checks
– Flash 0day exploit “LadyBoyle”, Feb 5th 2013
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 26
Environment Specific Evasion: Flash case
• Flash Player, Windows Viewer will not render Iframe Tags..
• Sandbox, by opening this file alone, can not reveal the attack
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 27
Environment Specific Evasion: GIF case
• 0x3b: End of GIF data stream
• Contextual information is needed to reveal this attack
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 28
Environment Specific: More Complicated Case
• It appears to be a harmless blog site
• Turned out to be a location of an object for the malware
to download
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 29
What’s hiding in this Cartoon Hero?
• After
endofimage,
comes FFD9,
which is
“Unknown
Padding”
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 30
What’s hiding in this Cartoon Hero?
• The malware extract the padding data and decrypt,
finally come up with the actual C&C msg, in the form of a
ini file.
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 31
Catch me if you can!
• While you are reading this, similar images may be flying
around in your network
• Isolated File Based Sandbox itself does NOT have the
environment to trigger malicious behaviors of these files
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 32
Performance of File based Sandboxes against
Anti Analysis Techniques…
Sandboxes Human
Interaction
Iframe
Flash/JPG
Sleep
Calls
V-Check IO
Ports
VM
Processes
Sandbox1 No No Yes No Yes Yes
Sandbox2 No No Yes No Yes Yes
Sandbox3 Yes No Yes No Yes Yes
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 33
Take Away
• File based sandboxes not effective in detecting advanced
malware.
–Designed as research tool, long way to go for prime time
–Most of the File Based Sandboxes can only provide an activity report, not
classification
–Most of the File Based Sandboxes are not hardened for advanced
malware analysis
• Virtual Execution Environment must be hardened &
obfuscated for advanced evasions
–Many old malware like Khelios, PushDo and Poison Ivy have resurrected
with sandbox evasions
–Many of the recent 0day attacks leverage these evasions as well
–A never ending battle
•
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 34
Take Away
•Advanced attacks are stateful, understanding the context
of the attack via multi-flow analysis are needed to fill the
gap
• Multi-flow & Multi-Vector correlation between set of events
is required to capture the behavior of the advanced threats.
Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 35
Q&A
• Follow the research blog:
– http://www.fireeye.com/blog/
• Follow us on twitter:
– https://twitter.com/FireEye

Weitere ähnliche Inhalte

Was ist angesagt?

CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectTamas K Lengyel
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008guest642391
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat Security Conference
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
Kali Linux - CleveSec 2015
Kali Linux - CleveSec 2015Kali Linux - CleveSec 2015
Kali Linux - CleveSec 2015TGodfrey
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationTamas K Lengyel
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure  BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
The Equation Group & Greyfish
The Equation Group & GreyfishThe Equation Group & Greyfish
The Equation Group & GreyfishLeonardo Antichi
 

Was ist angesagt? (20)

CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Kali Linux - CleveSec 2015
Kali Linux - CleveSec 2015Kali Linux - CleveSec 2015
Kali Linux - CleveSec 2015
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure  BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
The Equation Group & Greyfish
The Equation Group & GreyfishThe Equation Group & Greyfish
The Equation Group & Greyfish
 

Ähnlich wie US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides

Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFFRI, Inc.
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botGroup of company MUK
 
Derbycon Bromium Labs: Sandboxes
Derbycon Bromium Labs: SandboxesDerbycon Bromium Labs: Sandboxes
Derbycon Bromium Labs: SandboxesBromium Labs
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Juniper Networks
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingTom Keetch
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
 
Blackhat EU 2011 - Practical Sandboxing
Blackhat EU 2011 - Practical SandboxingBlackhat EU 2011 - Practical Sandboxing
Blackhat EU 2011 - Practical SandboxingTom Keetch
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 

Ähnlich wie US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides (20)

Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware Alive
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving bot
 
Derbycon Bromium Labs: Sandboxes
Derbycon Bromium Labs: SandboxesDerbycon Bromium Labs: Sandboxes
Derbycon Bromium Labs: Sandboxes
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical Sandboxing
 
Fwd Cloudsec 2022
Fwd Cloudsec 2022Fwd Cloudsec 2022
Fwd Cloudsec 2022
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxing
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
 
Blackhat EU 2011 - Practical Sandboxing
Blackhat EU 2011 - Practical SandboxingBlackhat EU 2011 - Practical Sandboxing
Blackhat EU 2011 - Practical Sandboxing
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 

US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides

  • 1. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Number of Malware Samples Per Day as per Kaspersky Labs.
  • 2. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2 Why File Based SandBox.. • AV researchers need to be able to keep up • Average Response time for Human Analysts – 30 – 45 minutes Research. – Not scalable • Response time for File Based SandBox – Normally couple of minutes – Scalable with machines
  • 3. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3 Sand Box (VPC,.) Kernel Trap BehaviorInput Flow Application Trap SB Monitor Design Architecture for a File Based Sandbox SB Trap SB - CPU
  • 4. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4 Hot Knives through Butter: Bypassing File Based Sandboxes Abhishek Singh , Zheng Bu
  • 5. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5 Evasion techniques • New Modern Trend: Human Interaction .. – Trojan UpClicker (wrapper around Poison Ivy,) – APT BaneChant • Configuration – Trojan Nap aka Khelios back from dead • Classic Detection – Checking for VM related processes. – Yes malware are still using them. • Environment Specific Evasions. – Version Checks, Embedded Iframe
  • 6. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6 Human Interaction .. • Hooking to a Mouse .. SetWindowsHookEx() • Message Boxes ..
  • 7. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7 Assembly code for Mouse Hook Trojan UpClicker
  • 8. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8 Mouse Clicks
  • 9. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9 Human Interaction… Message Box in a JavaScript
  • 10. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10 Configuration Specific Evasions • Employ the configuration of a sandbox. Limited time to execute,
  • 11. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11 Configuration Specific Evasion • Extended Sleep calls …10 minute timeout here
  • 12. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12 Configuration Specific Evasion .. Sleep calls Java Script
  • 13. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13 Configuration Specific Checks • Time Trigger Malware.. Trojan Hastati
  • 14. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14 Configuration Specific Checks
  • 15. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15 Configuration Specific Evasion..Hiding Processes • Deregister from the PsSetCreateProcessNotifyRoutine.
  • 16. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16 Hiding Processes • Deregister from the PsSetCreateProcessNotifyRoutine.
  • 17. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17 Classic Detection Techniques for Bypassing File based SandBoxes. • Enumerating List of services. • Checking for Product ID keys. • Checking for IO Port . • Checking for processes and DLL specific to the File based Sandboxes.
  • 18. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18 Processes Specific to File Based Sandboxes
  • 19. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19 Classic Techniques…. Yes Malwares are still using it. Enumerating Processes and Services of a Virtualized environment.
  • 20. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20 Enumerating processes and Services.
  • 21. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21 Do not Sleep Yet .. We have a Demo
  • 22. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22 Demo • Trojan UpClicker…. Gets Activated only when left mouse button is clicked up.
  • 23. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23 Demo
  • 24. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 24 Environment Specific Evasion File Based Sandbox provides specific environment for execution of a sample.
  • 25. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 25 Environment Specific Evasion: Version Checks • Application Version Checks – Flash 0day exploit “LadyBoyle”, Feb 5th 2013
  • 26. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 26 Environment Specific Evasion: Flash case • Flash Player, Windows Viewer will not render Iframe Tags.. • Sandbox, by opening this file alone, can not reveal the attack
  • 27. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 27 Environment Specific Evasion: GIF case • 0x3b: End of GIF data stream • Contextual information is needed to reveal this attack
  • 28. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 28 Environment Specific: More Complicated Case • It appears to be a harmless blog site • Turned out to be a location of an object for the malware to download
  • 29. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 29 What’s hiding in this Cartoon Hero? • After endofimage, comes FFD9, which is “Unknown Padding”
  • 30. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 30 What’s hiding in this Cartoon Hero? • The malware extract the padding data and decrypt, finally come up with the actual C&C msg, in the form of a ini file.
  • 31. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 31 Catch me if you can! • While you are reading this, similar images may be flying around in your network • Isolated File Based Sandbox itself does NOT have the environment to trigger malicious behaviors of these files
  • 32. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 32 Performance of File based Sandboxes against Anti Analysis Techniques… Sandboxes Human Interaction Iframe Flash/JPG Sleep Calls V-Check IO Ports VM Processes Sandbox1 No No Yes No Yes Yes Sandbox2 No No Yes No Yes Yes Sandbox3 Yes No Yes No Yes Yes
  • 33. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 33 Take Away • File based sandboxes not effective in detecting advanced malware. –Designed as research tool, long way to go for prime time –Most of the File Based Sandboxes can only provide an activity report, not classification –Most of the File Based Sandboxes are not hardened for advanced malware analysis • Virtual Execution Environment must be hardened & obfuscated for advanced evasions –Many old malware like Khelios, PushDo and Poison Ivy have resurrected with sandbox evasions –Many of the recent 0day attacks leverage these evasions as well –A never ending battle •
  • 34. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 34 Take Away •Advanced attacks are stateful, understanding the context of the attack via multi-flow analysis are needed to fill the gap • Multi-flow & Multi-Vector correlation between set of events is required to capture the behavior of the advanced threats.
  • 35. Copyright (c) 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 35 Q&A • Follow the research blog: – http://www.fireeye.com/blog/ • Follow us on twitter: – https://twitter.com/FireEye