nitty gritty of sandbox evasion - usuaria.org.ar · a buyer’s guide: questions to ask . 1. what...
TRANSCRIPT
![Page 1: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/1.jpg)
1
Nitty Gritty of Sandbox Evasion March 2014
Reimagined Security
![Page 2: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/2.jpg)
2
EVOLUTION OF EVASION
HOW TO DETECT ADVANCED ATTACKS
EVASION METHODS
RECOMMENDATIONS
![Page 3: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/3.jpg)
3
The Evolution of Evasion
![Page 4: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/4.jpg)
4
Evasion is Working Around the Enterprise in 243 Days
3 Months
6 Months
9 Months
243 Days Median # of days attackers are present on
a victim network before detection.
Initial Breach of Companies Learned
They Were Breached from an External Entity
of Victims Had Up-To-Date Anti-Virus
Signatures
THREAT UNDETECTED REMEDIATION
Source: M-Trends Report
![Page 5: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/5.jpg)
5
The Malware Lifespan: Two Hours
0
50000
100000
150000
200000
250000
300000
350000
0 1 2 3 4 5 6 7 2012 2013
Source: FireEye Labs
Mal
war
e Sa
mpl
es
Hours
![Page 6: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/6.jpg)
6
Of Malware Only Exists Once
Of Malware Disappears After
One Hour
6
Malware in the Wild
![Page 7: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/7.jpg)
7
Data Exfiltration
111011101101
Lateral Spread
Exploit an application or OS
vulnerability
Know Thy Adversary
Exploit detection critical
Every stage after the exploit can be hidden or obfuscated
Malware Download
Callback to Command &
Control
![Page 8: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/8.jpg)
8
Sample Impact: High-Tech
Top APT Business Impact
Backdoor.APT. Gh0stRAT (40%)
Remote Access Tools (RAT) that lead to loss of intellectual property, trade secret, and sensitive internal communication. Backdoor.APT.
DarkComet (40%)
Top Crimeware Business Impact
Malware.Binary (67%)
Never-seen-before malware. Signature based protection defenseless.
Exploit.Kit.Neutrino (67%)
Infection with several types of malware that steal credentials or restrict access to computer and demands ransom.
FireEye PoV Customers Compromised Had APT
18 100% 28%
1.46 8.66
41486.9
43022.5
86.92
3011.14
Web Exploit
Malware Download
Unique Malware
Unique Callback
Impacted Hosts
198.9
12.9
2708.9
2629.8
Max Average (Per Week)
![Page 9: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/9.jpg)
9
File-Based Sandbox To the Rescue? • Average Response time for Human Analysts
– 30 – 45 minutes – Not scalable
• Response time for File Based Sandbox – Normally couple of minutes – Scalable with machines
• Problem: File based sandboxes not effective in detecting advanced malware.
– Designed as research tool, long way to go for prime time – Most of the File Based Sandboxes are not hardened for advanced malware analysis
![Page 10: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/10.jpg)
10
What is Required? Automated Analysis System with Advanced Correlation With: • Static analysis • Network • Behavior
![Page 11: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/11.jpg)
11
How to Detect Advanced Attacks
![Page 12: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/12.jpg)
12
Detect the Exploit At the Point of Attack In advanced attacks like Operation Aurora, the exploit is the key that unlocks the whole attack…
3
JavaScript Exploit Code on a Web Page
Encoded Executable
Previously Unknown C&C Servers
Payload not visible without understanding the Exploit
C&C Servers not visible without analysing the payload
1 2
decodes reveals
![Page 13: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/13.jpg)
13
Factor#1: What Gets Analyzed
Today’s attacks use a broad range of content types
DLL EXE
Web-based Exploits
Weaponized Documents
Active Code
![Page 14: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/14.jpg)
14
Factor #2: What’s in the Box
Each type of content needs a an application to react with…
Web Page
JavaScript
Java Applet
Word Doc
Excel Sheet
PowerPoint
PDF Document
Executable
DLL
Browser
Operating System
PDF Reader
Java JRE
Office
![Page 15: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/15.jpg)
15
Factor #3: The Hypervisor
• Today… – All advanced threat detection solutions use some form of
virtualisation (VM) technology – Most are based on commercial (e.g VMWare) or open source
hypervisors (e.g Xen and Oracle VirtualBox) – These hypervisors were not designed for security analysis
• But… – Advanced malware is often ‘VM aware’ – It will actively seek out markers of common hypervisors when
deciding whether or how to execute
![Page 16: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/16.jpg)
16
Factor #4: How You Monitor Virtual Execution
• Delta vs runtime analysis • Delta analysis is easy to implement, but has some serious
limitations: – It is blind to operations that run in memory – It will only report changes that are persistent at the end of analysis – It cannot react to evasive operations (like malware going to sleep for 10
minutes)
• Runtime analysis does not share these limitations because it observes execution in real time from inside the sandbox
![Page 17: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/17.jpg)
17
Factor #5: Where to Put the Sandbox
• The cloud model requires that content be sent out of the organisation for analysis:
– Not much of an issue for executables – Lose context: A huge issue when it comes to documents
• Cloud services are always multi-tenanted and potentially hackable • Some advanced malware is location-aware, and will only execute inside
the target network • What if a false positive ends up putting your schematics, business plans,
roadmap, customer information or other sensitive file in the cloud?
![Page 18: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/18.jpg)
18
Evasion Methods
![Page 19: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/19.jpg)
19
Four Sandbox Evasion Methods
VMware-specific
Environment-specific
Configuration-specific
Human Interaction
![Page 20: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/20.jpg)
20
Evasion Via Human Interaction
Approach How It Works
Mouse clicks • UpClicker Code watches for a left-click on the mouse—more specifically, an up-click
• Another APT-related malware file called BaneChant, activates only after three mouse clicks
Dialog boxes • Displaying a dialog box that requires the user to respond. • Use MessageBoxEx API functions of Windows to create
dialog boxes in EXE and DLL files. The malware activates only after the user clicks a button.
![Page 21: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/21.jpg)
21
Example of Human Interaction Evasion
Code sample highlighting the action for a mouse click up
![Page 22: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/22.jpg)
22
Evasion Via Configuration Specific Methods Approach How It Works
Sleep Calls Wait out the sandbox.
Time Trigger Malware executes only after a given date and time.
Hiding Process Malware block calls to the operating system to hide malicious behavior.
Malicious Downloader
Many file-based sandboxes are configured with no connection to the Internet and a malicious downloader makes an HTTP request but fails to download the malware.
Executable Name Many sandboxes assign a predefined name to files during execution. Attackers can avoid detection by having their code determine whether it is running under one of these names and terminate.
Volume Information Malware can detect the presence of many sandboxes by checking whether the volume serial number of the machine it is running on matches that of widely used VMs.
Execute After Reboot Deploying malware that does nothing overtly suspicious until after a reboot
![Page 23: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/23.jpg)
23
Extended Sleep Calls
Trojan Nap code calling the SleepEx method
![Page 24: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/24.jpg)
24
Time Trigger Malware
A snippet of Hastati code, highlighting a call to the GetLocalTime() method to determine the current time
![Page 25: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/25.jpg)
25
Malicious Downloader
Malicious JavaScript code making HTTP request to high-risk URL
![Page 26: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/26.jpg)
26
Hiding Processes
Deregister from the PsSetCreateProcessNotifyRoutine.
![Page 27: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/27.jpg)
27
Evasion Via Environment Detection Methods Approach How It Works
Correct Version Check
Many malicious files are set to execute only in certain versions of applications or operating systems which can be absent in sandboxes.
Embedded iFrames Using innocuous files to get past defenses and download a malicious payload. A common approach is hiding iframe HTML elements in an otherwise non-executable file, such as a GIF picture or Acrobat Flash.
DLL Loader Requiring a specific, non-traditional loader to execute the DLL.
![Page 28: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/28.jpg)
28
Environment Specific Evasion
Malware Performing Application Version Checks
![Page 29: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/29.jpg)
29
Environment Specific Checks
Malicious iframe tag in a GIF file
![Page 30: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/30.jpg)
30
Evasion Via VMWare Detection Methods Approach How It Works
VM System Service List Check
Malware checks for services unique to VMware, such as vmicheatbeat, vmci, vmdebug, vmmouse, vmscis, VMTools, vmware, vmx86, vmhgfs, and vmxnet
Checking for Unique VMWare Files
Looking for VMWare files specific to that platform.
Looking for VM comms port
Detecting the VMX port that VMware uses to communicate with its virtual machines.
![Page 31: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/31.jpg)
31
Checking for VMWare
Malware using the function RegOpenKeyExA() to check for VMware tools
![Page 32: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/32.jpg)
32
Checking for VMWare
Malware using GetFileAttributeA( ) to determine the presence of VMware mouse driver
![Page 33: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/33.jpg)
33
Conclusions and Recommendations
![Page 34: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/34.jpg)
34
Sandboxes: Conclusions
• File based sandboxes not effective in detecting advanced malware.
• Advanced attacks are stateful, understanding the context of the attack via multi-flow analysis are needed to fill the gap
• Multi-flow and multi-vector correlation between set of events is required to capture the behavior of the advanced threats.
• Virtual Execution Environment must be hardened and obfuscated for advanced evasions
– Many old malware like Khelios, PushDo and Poison Ivy have resurrected with sandbox evasions – A never ending battle
![Page 35: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/35.jpg)
35
A Buyer’s Guide: Questions to Ask 1. What types of content get submitted for virtual/sandbox analysis? Do these
types give full coverage of the threat vectors (web and JavaScript-based exploits in particular)
2. What operating systems, applications and plug-ins (and what range of versions) are available in the sandbox to react with your content?
3. How is execution monitored? Is it simply by comparing a snapshot of the VM before and after execution?
4. What type of hypervisor is used? How would it resist VM aware malware? 5. Do you have any issue with your business plans, patent applications,
financials, customer details and business decisions being submitted to a cloud service?
6. How much time do you expect to spend tuning and administering the solution?
![Page 36: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/36.jpg)
36
About FireEye
![Page 37: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/37.jpg)
37
FireEye’s Technology: State of the Art Detection CORRELATE ANALYZE
( 5 0 0 , 0 0 0 O B J E C T S / H O U R )
Within VMs Across VMs
Cross-enterprise
Network
Mobile
Files
Exploit
Callback
Malware Download
Lateral Transfer
Exfiltration
DETONATE
![Page 38: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/38.jpg)
38
FireEye Product Portfolio
SEG IPS SWG
IPS
MDM Host
Anti-virus
Host Anti-virus
MVX
Threat Analytics Platform
Mobile Threat Prevention Email Threat
Prevention
Dynamic Threat Intelligence
Network Threat
Prevention
Content Threat
Prevention
Mobile Threat Prevention
Endpoint Threat
Prevention
Email Threat Prevention
![Page 39: Nitty Gritty of Sandbox Evasion - usuaria.org.ar · A Buyer’s Guide: Questions to Ask . 1. What types of content get submitted for virtual/sandbox analysis? Do these ... FireEye](https://reader034.vdocuments.mx/reader034/viewer/2022051321/5af9f9877f8b9aff288ddc5e/html5/thumbnails/39.jpg)
39
Reimagined Security Reimagined Security
Thank You