Click to edit Master \tle style SLIME: AUTOMATED ANTI ...

$Page 1: Click to edit Master \tle style SLIME: AUTOMATED ANTI ...$
•  Click to edit Master text styles —  Second level

•  Third level —  Fourth level

»  Fi8h level

Click to edit Master /tle style

Yosuke Chubachi and Kenji Aiko FFRI, Inc.

SLIME: AUTOMATED ANTI-‐SANDBOXING DISARMAMENT SYSTEM



»  Fi8h level

Click to edit Master /tle style About us

2

He is a security engineer at FFRI, Inc. since last spring. He studied at the graduate school of informaGon system engineering, University of Tsukuba. He is a Security Camp lecturer and a member of execuGve commiIee of SECCON since 2012.

He is a programmer at FFRI, Inc., and is a one of the developers of "FFR yarai" which is a targeted aIack protecGon so8ware. He is a Security Camp lecturer and a member of execuGve commiIee of SECCON since 2012.

Yosuke Chubachi

Kenji Aiko

March 27, 2015



»  Fi8h level


•  Background and MoGvaGon •  State of the Art of AnG-‐sandboxing •  SLIME Design and ImplementaGon •  Disarming Real Malware •  Experiments •  Conclusion

Contents

3 March 27, 2015



»  Fi8h level


Background and Mo/va/on

March 27, 2015 4



»  Fi8h level


•  Malware explosion —  120,000,000 over in 2014

•  AnGvirus is dead…?

Background

5

AV Test: StaGsGcs –New Malware-‐ (Nov. 05 2014 viewed) hIp://www.av-‐test.org/en/staGsGcs/malware/

March 27, 2015



»  Fi8h level


•  “Scalability” is most important factor in informaGon explosion era — Cloud — Bigdata —  IoT

•  Malware analysis also needs “scalable” methodology

We need dynamic and automated malware analysis

6 March 27, 2015



»  Fi8h level


•  Security engineer and researcher use sandbox environment for malware analyzing

•  Automated dynamic analysis technology also based on VM/applicaGon sandbox

“Use the sandbox, Luke”

7 March 27, 2015



»  Fi8h level


•  SophisGcated malware arms many anti-‐‑‒analyze techniques•  Naturally using targeted attacks, cyber espionage, banking malware

•  Researchers called those malware “evasive malware”

Malware strike back

8 March 27, 2015



»  Fi8h level


•  BareCloud [Dhilung K et al., USENIX SEC’14] —  “5,835 evasive malware out of 110,005 recent

samples”

•  Prevalent CharacterisGcs in Modern Malware [Gabriel et al., BH USA ‘14] —  “80% malware detect vmware using backdoor

port”

Related work

9

What do you think?

March 27, 2015



»  Fi8h level


•  InvesGgaGng into a condiGon used by sandbox evasion automaGcally for select right sandbox using invesGgated condiGons

Mo/va/on

10 March 27, 2015



»  Fi8h level


•  Incorporable and standalone — Because we are developing

anG virus applicaGon

Challenges

11 March 27, 2015



»  Fi8h level


State of the Art of An/-‐sandboxing

March 27, 2015 12



»  Fi8h level


•  CyberGate (RAT) •  Chthonic (Online Banking Malware)

State-‐of-‐the-‐art an/-‐sandboxing

13 March 27, 2015



»  Fi8h level


•  Popular RAT tools •  CyberGate can generates remote

access server for targeGng host •  AnG-‐sandbox opGon enabled

CyberGate

14 March 27, 2015



»  Fi8h level

Click to edit Master /tle style CyberGate

15 March 27, 2015



»  Fi8h level

Click to edit Master /tle style An/-‐sandboxing are generated by CyberGate

16 March 27, 2015



»  Fi8h level


•  Banking trojan subspecies of ZeuS Family

•  Chthonic downloader injects malicious code into msiexec.exe

•  Also downloader changes its behavior if runs on sandbox or virtual machines

Chthonic

See also: hIps://securelist.com/blog/virus-‐watch/68176/chthonic-‐a-‐new-‐modificaGon-‐of-‐zeus/

17 March 27, 2015



»  Fi8h level

Click to edit Master /tle style Chthonic

Calling many vm/sandbox detecGon

18 March 27, 2015



»  Fi8h level


•  Finding vm/sandbox arGfacts —  \\.\HGFS , \\.\VBoxGuest, \\.\vmci and \\.\Wine —  sbie.dll

•  Similar “Citadel” — Citadel also finding vm/sandbox arGfacts

Chthonic an/-‐sandboxing

19 March 27, 2015



»  Fi8h level


•  AnG-‐sandbox maneuver ü  Environment awareness

•  Using result of vm/sandbox detecGon •  Host fingerprinGng

p  (Stalling code) p  (User/Network interacGon checks)

Type of anti-sandbox

20 March 27, 2015



»  Fi8h level


•  Checking host environments •  If malware runs decoy rouGne or exit

itself then it detects analyzer’s sign — Malicious behavior never executed

21

Initialization(unpack)

Sandbox(incl. VM)Detection

Maliciousroutine

Decoyroutine

If running on an analyzing environment

Environment awareness

March 27, 2015



»  Fi8h level


ü  ArGfact fingerprinGng ü  ExecuGon environment fingerprinGng p  (ExecuGon Gming detecGon)

Sandbox (debug/sandbox/vm) detec/on

22 March 27, 2015



»  Fi8h level

Click to edit Master /tle style Sandbox (debug/sandbox/vm) detection

23

Host

Environment aware Malware

VM related

Artifacts

Sandbox specificArtifacts

VMM?

Execution EnvironmentFingerprinting

Artifact Finger-printing

Execution Timing Detection

March 27, 2015



»  Fi8h level


•  Sandbox/VM environment specific files

•  Sandbox/VM environment specific registry keys

•  Sandbox/VM environment specific devices and its aIributes —  ex). QEMU HDD vendor name

•  Sandbox/VM Specific I/O port —  VMWare backdoor port is most famous arGfact in malware

•  Sandbox/VM related processes —  Like vmware, virtualbox etc.

Artifact fingerprinting

24 March 27, 2015



»  Fi8h level


•  Using virtual machine implementaGon specific plauorm value and reacGon — CPUID instrucGon result — Redpill

•  Using LDT/GDT and IDT incongruousness

—  InteresGng research here: Cardinal Pill TesGng

Execution environment fingerprinting

25 March 27, 2015



»  Fi8h level


•  Using clock count differenGal —  TradiGonal anG-‐debug technique

Execution timing detection

26

Comparing TSC differentials

March 27, 2015



»  Fi8h level


SLIME: Design and Implementa/on

March 27, 2015 27



»  Fi8h level


•  Malware palpaGon •  Code execuGon integrity(CEI) •  RetroacGve condiGon analysis

SLIME key technologies

28 March 27, 2015



»  Fi8h level


1.  Our sandbox runs malware again and again — Changing “virtual” arGfacts exposure

each execuGon for execuGon branch detecGon

2.  RetroacGve condiGon analysis —  Specifying “branch condiGon” on

unnatural process terminaGon

Concept: malware palpa/on

29 March 27, 2015



»  Fi8h level

Click to edit Master /tle style •  SLIME Sandbox fakes different

sandbox-‐related arGfacts each malware execuGon — DetecGng execuGon difference using

code execuGon integrity(CEI)

Malware palpa/on

30

user-‐space kernel-‐space

Runtime & Libraries

SLIME (vmware faking)

vmmouse.sys

API emulator faking

user-‐space kernel-‐space

Runtime & Libraries

SLIME

Malware (fist execution)

API emulator Not found

Malware (second execution)

CreateFile(…) CreateFile(…)

March 27, 2015



»  Fi8h level


•  CEI shows uniqueness of instrucGon execuGon history —  Inspired by TPM trust chaining

•  “measurement” per instrucGon

Code Execu/on Integrity(CEI)

31

Digest[i] = SHA1( fetched CPU instrucGon + Digest[i-‐1] )

mov $0x616b6157, %eax push %ebx push %eax mov $4, %edx mov $1, %ebx

0xb857616b61 0x53 0x50 0xba04000000 0xbb01000000

d[0] = SHA1(0xb857616b61) d[1] = SHA1(d[0] + 0x53) d[2] = SHA1(d[1] + 0x50) d[3] = SHA1(d[2] +0xba04000000) ...

March 27, 2015



»  Fi8h level


•  Using execuGon step count and code execuGon integrity(CEI) value

Execu/on branch detec/on

32

in eax, dx cmp ebx, 0x564D5868h

jne NOTVMX jmp ISVMX NOTVMX: mov rc, 0 jmp done ISVMX: mov rc, eax

jmp done

CEI[0]1 CEI[1]1

CEI[2]1

CEI[3]1

CEI[4]1

CEI[0]2

CEI[1]2 CEI[2]2

CEI[3]2

CEI[4]2

CEI[5]2

March 27, 2015



»  Fi8h level


•  Sandbox retroacGve from terminaGon to terminated reason API and arguments when suspicious terminaGon — Only a few steps

execuGons —  To terminate before

network acGviGes

Retroac/ve condi/on analysis

33

sub esp, 1024 mov ebx, esp push 400h push ebx push 0h

call GetModuleFileNameA lea eax, MyPath push eax push ebx

call lstrcmpA test eax, eax push 0h lea eax, MsgCapGon push eax jz _ok lea eax, NGMsgText push eax push 0h call MessageBoxA invoke ExitProcess, NULL

_ok: lea eax, OKMsgText

March 27, 2015



»  Fi8h level


•  We have already CPU Emulator-‐based sandbox for win32 execuGon (in-‐house use) — Like IDA Bochs PE operaGon mode[11]

Implementa/on

Host

Runtime & Libraries

CPU Emulator FILE’ HEAP’

Runtime & Libraries (Virtualized)

Target’Process

MemoryContext’

ExecutionContext’

34 March 27, 2015



»  Fi8h level


•  SLIME logs instrucGon per execuGon —  Tracing specific API call and its

arguments for RetroacGve condiGon analysis •  lstrcmpi, strcmp, GetModuleFileName, …

•  Code execuGon integrity calculaGon per execuGon —  For execuGon branch detecGon

Execu/on logging framework

35 March 27, 2015



»  Fi8h level


•  VMWare —  Camouflaging backdoor port,

some registry entry and files

•  VirtualBox —  Some registry entry and files

•  QEMU —  some registry entry and files

•  Sandbox —  Anubis —  Sandboxie —  ThreatExpert

Camouflaging VM/sandbox related ar/fact existence

36 March 27, 2015



»  Fi8h level


Disarming Real Malware

March 27, 2015 37



»  Fi8h level

Click to edit Master /tle style Disarming demo

38 March 27, 2015



»  Fi8h level

Click to edit Master /tle style An/-‐VMWare

SHA256: C1A7E51E5E2F94193D6E17937B28155D0F121207

39 March 27, 2015



»  Fi8h level

Click to edit Master /tle style Detect sandbox evasion

SHA256: 39517A057CC4A1AE34E786873C8010291A33BAB7

40 March 27, 2015



»  Fi8h level


Experiments

March 27, 2015 41



»  Fi8h level


•  Trying to disarm 89,119 malware — Collected in one year

(2014/01/01-‐2014/12/31) — Original data amounts: 5,244,297 — Random sampling —  Filtered in PE(32bit) and loadable our sandbox

Dataset

42 March 27, 2015



»  Fi8h level

Click to edit Master /tle style Results

An/-‐Sandbox Type Count

DetecGng VMWare 63

DetecGng VirtualBox 70

DetecGng QEMU 84

DetecGng Sandbox (sbie.dll and dbghelp.dll)

11,102

Evasive Malware 36

* Throughput: 6 malware per minites

43 March 27, 2015



»  Fi8h level


•  We guess that more AnG-‐VM malware exists in this dataset CPU — Because our CPU emulator coverage is

not enough to run malware •  Original sandbox was developed for

unpacking

Are An/-‐VM Too Few?

44 March 27, 2015



»  Fi8h level

Click to edit Master /tle style O\opic: Ar/fact finding by Yara An/-‐Sandbox Type Count

Found VMWare Signature 11,029

Found VirtualBox Signature 530

Found QEMU Signature 247

Sandbox detecGon 235

An/-‐Sandbox Type Count

Found VMWare Signature 10,985

Found VirtualBox Signature 142

Found QEMU Signature 127

Sandbox detecGon 221

Using customized AnG-‐VM rules@YaraRules

Using SLIME implemented arGfact only

45 March 27, 2015



»  Fi8h level


•  No —  The proporGon of AnG-‐VM armed

malware is low in the wild — AnG-‐VM acGvity is one of method of

black list avoiding

Can Virtual Machine Protects You from Malware?

46 March 27, 2015



»  Fi8h level


•  No! — Many anG-‐sandboxing founds before

malicious behavior such as suspicious download or code injecGon

—  If you do not pay aIenGon, you will be miss significant threat

Can I Ignore An/-‐Sandboxing?

47 March 27, 2015



»  Fi8h level


•  SLIME can invesGgate into a condiGon used by sandbox evasion automaGcally

•  The proporGon of anG-‐VM armed malware is low in the wild

•  However, there is no doubt that sophisGcated malware o8en uses anG-‐sandboxing

Conclusion

48 March 27, 2015



»  Fi8h level

Click to edit Master /tle style •  Analyzing Environment-Aware Malware, Lastline, 2014.05.25(viewed)

http://labs.lastline.com/analyzing-environment-aware-malware-a-look-at-zeus-trojan-variant-called-citadel-evading-traditional-sandboxes •  Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. 2011. Detecting environment-sensitive malware. In Proceedings of the

14th international conference on Recent Advances in Intrusion Detection (RAID'11). Springer-Verlag, Berlin, Heidelberg, 338-357. •  lemens Kolbitsch, Engin Kirda, and Christopher Kruegel. 2011. The power of procrastination: detection and mitigation of execution-stalling

malicious code. In Proceedings of the 18th ACM conference on Computer and communications security (CCS '11). ACM, New York, NY, USA, 285-296.

•  Min Gyung Kang, Heng Yin, Steve Hanna, Stephen McCamant, and Dawn Song. 2009. Emulating emulation-resistant malware. In Proceedings of the 1st ACM workshop on Virtual machine security (VMSec '09). ACM, New York, NY, USA, 11-22.

•  Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. Barecloud: bare-metal analysis-based evasive malware detection. In Proceedings of the 23rd USENIX conference on Security Symposium (SEC'14). USENIX Association, Berkeley, CA, USA, 287-301.

•  Ulrich Bayer, Imam Habibi, Davide Balzarotti, Engin Kirda, and Christopher Kruegel. 2009. A view on current malware behaviors. In Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more (LEET'09). USENIX Association, Berkeley, CA, USA, 8-8.

•  Aurélien Wailly. Malware vs Virtualization The endless cat and mouse play, 2014.05.25(viewed) http://aurelien.wail.ly/publications/hip-2013-slides.html

•  Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. Testing CPU emulators. In Proceedings of the eighteenth international symposium on Software testing and analysis (ISSTA '09). ACM, New York, NY, USA, 261-272.

•  Hao Shi, Abdulla Alwabel and Jelena Mirkovic. 2014. Cardinal Pill Testing of System Virtual Machines. In Proceedings of the 23rd USENIX conference on Security Symposium (SEC'14). USENIX Association, Berkeley, CA, USA,271-285.

•  Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2010. Testing system virtual machines. In Proceedings of the 19th international symposium on Software testing and analysis (ISSTA '10). ACM, New York, NY, USA, 171-182.

•  IDA Boch PE operation mode https://www.hex-rays.com/products/ida/support/idadoc/1332.shtml

Bibliography

49 March 27, 2015



»  Fi8h level

Click to edit Master /tle style Fin.

50 March 27, 2015

Date post:	02-Jan-2017
Category:	Documents
Upload:	truongdiep
View:	215 times
Download:	0 times

Click to edit Master \tle style SLIME: AUTOMATED ANTI ...

Documents