An Adversarial View of SaaS Malware Sandboxes

Download An Adversarial View of SaaS Malware Sandboxes

Post on 09-Jan-2017




6 download

Embed Size (px)


<p>PowerPoint Presentation</p> <p>An Adversarial View of SaaS Sandboxes Jason Trost Aaron ShelmireOct 17th 2015</p> <p>1</p> <p>whoamiJason TrostVP of Threat Research @ ThreatStreamPreviously at Sandia, DoD, Booz Allen, Endgame Inc.Background in Big Data Analytics, Security Research, and Machine Learning</p> <p>Aaron ShelmireSenior Threat Researcher @ ThreatStreamPreviously at CERT, Secure Works CTU-SO, CMUBackground in Incident Response, Forensics, Security Research</p> <p>AV is Dead!Threat Intelligence Feeds</p> <p>Youre going to tip off the adversary!!!Everyones going to know Im compromised</p> <p>Advanced Malware Detects Sandboxes!Motivation</p> <p>3</p> <p>ExperimentCreated Sensors with unique CampaignIDsEncoded execution time and CampaignIDs in domain namesTornado HTTP app and bind DNS serversSubmitted to 29 free online SandboxesWatched traffic roll in</p> <p>Sandboxes TestedAviraComodo Instant Malware AnalysisComodo ValkyrieF-Secure Online AnalysisJoe Sandbox PrivateFile-analyzer.netMalwr.comNSIPayload SecurityThreatExpertTotalHashViCheckCloud.vmray.comEther.gtisc.gatech.eduThreat trackAnubic.iseclab.comMetascan-onlineEureka-cyber-ta.orgMicrosoft portalOnline.drweb.comuploadMalwareVirusTotalVirusscan.jotti.orgwepawetVirscanViCheckThreatStreams internal sandbox</p> <p>Our SensorEnumerate HostSockets Based CommsCreate Run KeyDelete Run KeyExit Process</p> <p>NO REMOTE ACCESS CAPABILITY</p> <p>6</p> <p>APT TTP OMG!</p> <p></p> <p>Filenames: anyconnect-win-4.1.04011-k9.exevpnagent.exesvchost.exesvch0st.exelsass.exe</p> <p>Sensor C2 HTTP POST</p> <p>Exfil HTTP POSTzlib compressionbase64 encoded</p> <p>Worked pretty well, but</p> <p>Sensor C2 DNS Covert Channel</p> <p>Some Sandboxes block TCP connsMost allow DNS unmodified</p> <p>zlib compressionhex encodesplit data into chunksmultiple DNS A requests</p> <p>AV is Dead!</p> <p>Is it?</p> <p>What did AV think of our sensor?At first</p> <p>EventuallyVirusTotal: 6 SamplesDetection ranges from 8/57 to 30/57A lot of Trojan Zusy and Trojan GraftorMore malicious as time went on</p> <p>Sharing?Yup, Lots Samples sharedEvidence of new executions seen from different originsDomain names sharedPrevious executions domains resolved later by other orgs, different nameserversSome domains appear on threat intel listsMany orgs are trivially identified as security companies Every major AV company is represented in our DNS logsSeveral Security Product Companies</p> <p>select timestamp::DATE, campaign_id, org, COUNT(1) from network_activity where host ILIKE '' group by 1,2,3 order by 3,1, 2;</p> <p>13</p> <p>Threat Intelligence Feeds</p> <p>these 3 domains were associated with 3 different campaigns (data sharing is obvious here)</p> <p>3 domains associated with this project showed up on commercial threat intelligence feeds.</p> <p>None of the file hashes showed up.</p> <p>14</p> <p>Threat Intel vs the Sandbox IPs?Of all the Sandbox IPs that made valid POST requests to our server 15 were also identified in some threat intelligence feeds as malicious6 were TOR IPs1 was an Anonymous proxyAll others were characterized:Bot IPsSpammer IPsBrute Force IPsScanning IPsCompromised IPs (Hawkeye Keylogger, Dyre)Interesting, but not surprising</p> <p>Tipping off the adversary16</p> <p>Monday Morning1st Submission2nd SubmissionDNS C2</p> <p>Check In Activity17</p> <p>Trend Micro + Home HostsMonday Morning Everyone checks inAmazon + GoogleDNS C2</p> <p>Anomalous Spikes18</p> <p>Many researchersipVanish IPs</p> <p>Malware Detects Sandboxes</p> <p>Sandboxes detection featuresSystem Services ListsProcesses VBoxService(1), vmtools (8)MAC addressVMware, Inc. (55), Cadmus Computer Systems (40), ASUSTek COMPUTER INC. (23)BiosVMware (50), Bochs(34), ASUS(23), Google(8), Qemu(8)Disk Size 19.99GB (52), 25GB (37), 120GB (28), 50GB (20), 39GB (20)RAM1GB (92), 1.5GB (18), 512MB (10)Was the EXE renamed?sample.exe, malware.exe, ${md5}.exe</p> <p>select data_parsed-&gt;'bios'-&gt;&gt;'manufacturer', COUNT(1) from c2_logs c where data_parsed::TEXT != '{}' and (data_parsed-&gt;&gt;'username'::TEXT) IS NOT NULL group by 1 order by 2;</p> <p>select (data_parsed-&gt;&gt;'ram')::INTEGER/1024 as RAM, COUNT(1) from c2_logs c JOIN ip_metadata m ON(c.client_ip=m.ip) where data_parsed::TEXT != '{}' and (data_parsed-&gt;&gt;'username'::TEXT) IS NOT NULL AND (data_parsed-&gt;&gt;'ram')::INTEGER &gt; 0 group by 1 order by 2;</p> <p># joined with SUBSTR(data_parsed-&gt;&gt;'mac_addr', 0, 9), COUNT(1) from c2_logs c JOIN ip_metadata m ON(c.client_ip=m.ip) where data_parsed::TEXT != '{}' and (data_parsed-&gt;&gt;'username'::TEXT) IS NOT NULL AND campaign_id NOT IN ('TEST', 'JT', 'OG') group by 1 order by 2; 20</p> <p>Way too Advanced!!!! - Virtual Machine SharingMany companies, but only a few virtual machines used!Same usernamesSame hostnamesSame disk sizeSame CPU count</p> <p>Generic detection that 90% works:( CPU Count == 1 or Disk Size </p>