An Adversarial View of SaaS Malware Sandboxes

Download An Adversarial View of SaaS Malware Sandboxes

Post on 09-Jan-2017




6 download


PowerPoint Presentation

An Adversarial View of SaaS Sandboxes Jason Trost Aaron ShelmireOct 17th 2015


whoamiJason TrostVP of Threat Research @ ThreatStreamPreviously at Sandia, DoD, Booz Allen, Endgame Inc.Background in Big Data Analytics, Security Research, and Machine Learning

Aaron ShelmireSenior Threat Researcher @ ThreatStreamPreviously at CERT, Secure Works CTU-SO, CMUBackground in Incident Response, Forensics, Security Research

AV is Dead!Threat Intelligence Feeds

Youre going to tip off the adversary!!!Everyones going to know Im compromised

Advanced Malware Detects Sandboxes!Motivation


ExperimentCreated Sensors with unique CampaignIDsEncoded execution time and CampaignIDs in domain namesTornado HTTP app and bind DNS serversSubmitted to 29 free online SandboxesWatched traffic roll in

Sandboxes TestedAviraComodo Instant Malware AnalysisComodo ValkyrieF-Secure Online AnalysisJoe Sandbox PrivateFile-analyzer.netMalwr.comNSIPayload SecurityThreatExpertTotalHashViCheckCloud.vmray.comEther.gtisc.gatech.eduThreat trackAnubic.iseclab.comMetascan-onlineEureka-cyber-ta.orgMicrosoft portalOnline.drweb.comuploadMalwareVirusTotalVirusscan.jotti.orgwepawetVirscanViCheckThreatStreams internal sandbox

Our SensorEnumerate HostSockets Based CommsCreate Run KeyDelete Run KeyExit Process




Filenames: anyconnect-win-4.1.04011-k9.exevpnagent.exesvchost.exesvch0st.exelsass.exe


Exfil HTTP POSTzlib compressionbase64 encoded

Worked pretty well, but

Sensor C2 DNS Covert Channel

Some Sandboxes block TCP connsMost allow DNS unmodified

zlib compressionhex encodesplit data into chunksmultiple DNS A requests

AV is Dead!

Is it?

What did AV think of our sensor?At first

EventuallyVirusTotal: 6 SamplesDetection ranges from 8/57 to 30/57A lot of Trojan Zusy and Trojan GraftorMore malicious as time went on

Sharing?Yup, Lots Samples sharedEvidence of new executions seen from different originsDomain names sharedPrevious executions domains resolved later by other orgs, different nameserversSome domains appear on threat intel listsMany orgs are trivially identified as security companies Every major AV company is represented in our DNS logsSeveral Security Product Companies

select timestamp::DATE, campaign_id, org, COUNT(1) from network_activity where host ILIKE '' group by 1,2,3 order by 3,1, 2;


Threat Intelligence Feeds

these 3 domains were associated with 3 different campaigns (data sharing is obvious here)

3 domains associated with this project showed up on commercial threat intelligence feeds.

None of the file hashes showed up.


Threat Intel vs the Sandbox IPs?Of all the Sandbox IPs that made valid POST requests to our server 15 were also identified in some threat intelligence feeds as malicious6 were TOR IPs1 was an Anonymous proxyAll others were characterized:Bot IPsSpammer IPsBrute Force IPsScanning IPsCompromised IPs (Hawkeye Keylogger, Dyre)Interesting, but not surprising

Tipping off the adversary16

Monday Morning1st Submission2nd SubmissionDNS C2

Check In Activity17

Trend Micro + Home HostsMonday Morning Everyone checks inAmazon + GoogleDNS C2

Anomalous Spikes18

Many researchersipVanish IPs

Malware Detects Sandboxes

Sandboxes detection featuresSystem Services ListsProcesses VBoxService(1), vmtools (8)MAC addressVMware, Inc. (55), Cadmus Computer Systems (40), ASUSTek COMPUTER INC. (23)BiosVMware (50), Bochs(34), ASUS(23), Google(8), Qemu(8)Disk Size 19.99GB (52), 25GB (37), 120GB (28), 50GB (20), 39GB (20)RAM1GB (92), 1.5GB (18), 512MB (10)Was the EXE renamed?sample.exe, malware.exe, ${md5}.exe

select data_parsed->'bios'->>'manufacturer', COUNT(1) from c2_logs c where data_parsed::TEXT != '{}' and (data_parsed->>'username'::TEXT) IS NOT NULL group by 1 order by 2;

select (data_parsed->>'ram')::INTEGER/1024 as RAM, COUNT(1) from c2_logs c JOIN ip_metadata m ON(c.client_ip=m.ip) where data_parsed::TEXT != '{}' and (data_parsed->>'username'::TEXT) IS NOT NULL AND (data_parsed->>'ram')::INTEGER > 0 group by 1 order by 2;

# joined with SUBSTR(data_parsed->>'mac_addr', 0, 9), COUNT(1) from c2_logs c JOIN ip_metadata m ON(c.client_ip=m.ip) where data_parsed::TEXT != '{}' and (data_parsed->>'username'::TEXT) IS NOT NULL AND campaign_id NOT IN ('TEST', 'JT', 'OG') group by 1 order by 2; 20

Way too Advanced!!!! - Virtual Machine SharingMany companies, but only a few virtual machines used!Same usernamesSame hostnamesSame disk sizeSame CPU count

Generic detection that 90% works:( CPU Count == 1 or Disk Size