SlideShare a Scribd company logo

Detecting Evasive Malware in Sandbox

Download as PPTX, PDF
Rahul Mohandas
Rahul Mohandas

This presentation talk about some of the challenges in detecting advanced malware which uses evasion techniques such as inline assembly or previously unknown approaches. The presentation also focuses on leveraging the static code analysis as an opportunity to detect these evasive malware in the sandbox

1 of 27
Detecting Evasive Malware in the Sandbox—The Latest from McAfee and Intel Labs McAfee Confidential . Rahul Mohandas | Intel Security Ravi Sahita | Intel Labs
McAfee Confidential . Speakers 2 Rahul Mohandas Research Manager Intel Security Ravi Sahita Principal Engineer Intel Labs
McAfee Confidential . Agenda • Evolution of Targeted Malware Attacks and Defenses • Sandboxing Challenges • McAfee Advanced Threat Defense Technology • Use Cases: Sandbox Evasion • Platform Opportunities • Summary 3 McAfee, and the McAfee logo are registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2014 McAfee, Inc.
Evolution of Malware Attacks and Defenses McAfee Confidential . How did we get here? 4 Reactive • md5/URL blacklists Proactive • Heuristics/ protocol analysis A large number of enterprises had breaches over the past year. What can be done to better protect the network against these cyberthreats? Predictive • Static/ behavioral and predictive analytics • Malware attribution Evolution of defenses shown as Attack [Defense]
15-AUG-2012 Shamoon SAFE SunShop JUN--2013 2010 2011 2012 2013 2014 McAfee Confidential APR-2014 . State of Targeted Attacks 5 Duqu Flame 02-MAY-2012 Gauss 01-JUN-2012 Mahdi VOHO 01-SEP-2011 JUL-2012 Beebus Ladyboyle MiniDuke Intel & McAfee Confidential RSA hack MAR-2011 FEB-2013 Naikon NetTraveler MAY--2013 30-MAY--2012 Gotham ZEGOST APR-2013 DeputyDog 19-AUG-2013 EvilGrab IceFog Kimsuky Guodl Taidoor The3bug Web2Crew DEC-2012 Project Blitzkrieg Shiqiang Quarian OCT-2013 AUG-2014 Havex Pittytiger July-2014 Intel Confidential -- Internal Use Only Quarian v2
McAfee Confidential . Sandboxing Challenges 6 Evasion • Hook-detection/skipping. • Self/VM fingerprinting. • System tampering. • Interaction-based. • Latent behavior. • Timing analysis. • And so on …
McAfee Confidential . 7 Advanced Threat Defense Technology Sandboxing approach and future challenges
McAfee Confidential Sample Sample Sample VM1 VM2 VM N . McAfee Advanced Threat Defense • Using static and dynamically derived program behavior. • Provides advanced sandboxing capabilities: • Virtual CPUs. • Anti-anti-debugging. • Need to unpack to get to original executable code for analysis: • Detect variants. • Understand potential paths. • Provide unpacked code for further analysis. 8 VM 1 VM 2 VM N VMM
Runtime DLLs Operations File Operations Operations Delayed Execution McAfee Confidential Unpacking Disassembly of Code Calculate Latent Code Familial Resemblance . Dynamic and Static Code Analysis 9 Analyze Analyze Network Process Dynamic Analysis Static Analysis
McAfee Confidential . Sandbox Evasion 10 Advanced: inline assembly • Use assembly code to bypass hooks: • Replace sleep() with an induced delay loop. • Bypasses sandboxes that have default analysis timeouts. • Family classification to the rescue.
McAfee Confidential . 11 Sandbox Evasion: Inline Assembly
McAfee Confidential . 12
McAfee Confidential . Quarian Evolution: Timeline 13 Sample: ce1ef Similarity: 97% Prototype Added Similarity: 100% Sample: 1d6b587 Similarity: 83.54% Sample: c0e5746dd Similarity: 68.09% Sample: 93807cff6 Similarity: 68.18% Dec ’11 March ’12 Jan ’12 August ’13 July ’12 March ’14 Sample: f3862 Similarity: 66.72%
McAfee Confidential . Sandbox Evasion 14 Quarian: AppId Check • APT actor active since 2011. • Checks presence of registry key, exits if not found. • Evades all known sandboxes relying on behavior only. • Detected by McAfee® Advanced Threat Defense using static code analysis.
McAfee Confidential . 15 Quarian Evolution: Static Code Analysis
McAfee Confidential . 16 Platform Opportunities Improving malware analysis
McAfee Confidential . Improving Malware Sandbox: Goals 17 VMM VM1 Enhance Instrumentation to Observe Zero-Day/Obfuscated Behavior. VM 2 VM n • Memory access and execution analysis. • Kernel/user rootkit-like behavior. • API, control flow attacks. • Unpacking, de-obfuscating code. … without impacting analysis throughput Intel CPUs
OS-Independent Behavioral Memory Monitoring McAfee Confidential DLL Code (RO) . CPU extended page tables (EPTs) as memory monitoring domains 18 VM0 CPU0 Hypervisor Intel® VT-x with EPT Extended Page Table (EPT) Domains EPT Walker Execution Crossing EPT Domains or Data Data (NP) host physical Accesses Cause Events. address Intel® Virtualization Technology for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x) Application Code/Data (RX/RW) DLL Code (RX) Application Code/Data (RO/NP) Data (RW) • Observe read, write, or execution from memory. • Critical data structure tracking. • Critical API execution tracking without circumvention.
McAfee Confidential . Addressing Technical Challenges • Factors limiting memory monitoring: • Hardware context-switch time. • Filtering uninteresting events with minimal overhead: • Monitoring data accesses requires filtering due to 4,000 page sharing. • Analyzing execution patterns: • Without requiring single-stepping of all execution. 19
Hardware-Accelerated Behavioral Memory Analysis • VM Function (VMFUNC) to switch EPTs or memory views without VMExits. • Virtualization Exceptions (#VE) to directly notify guest of EPT access violations without VMExits. McAfee Confidential . Minimize exposure of VMM to reduce malware evasion opportunities 20 CPU0 Hypervisor Intel® VT-x with EPT VM0 Extended Page Tables EPT Walker Report EPT violations via #VE. EPTP list is indexed by VMFUNC. Memory View 1 Memory View 2 VMFUNC Intel® Virtualization Technology for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x) #VE Physical pages
McAfee Confidential . Accelerating Behavior-Induced Events 21 • Behavioral memory monitoring policies setup via EPT domains. • VMM opts in to convert induced EPT violation (observed events) to #VE. • Monitoring software can use VMFUNC to switch views in order to analyze memory accesses and continue sandboxed execution. VMM VM Sandbox VMFUNC VMFUNC EPT Domains Monitoring Service Monitored App 1. Handle #VE 3. Complete analysis WRITE Access Policy #VE #VE info EPT Domains Intel CPUs 2. Set up single step or emulate
McAfee Confidential . Hardware Extensions for Improving Malware Sandbox 22 VMM w/ Introspection Extensions Intel CPUs Windows/ Android VM1 Enhanced Instrumentation to Observe Zero-Day/Obfuscated Behavior • Memory access and execution analysis. • Kernel/user rootkit behavior. • API, control flow attacks. • Unpacking, de-obfuscating code. Sandboxing Engine Memory Views Enhanced Sandboxing Processor Features Pass-Through VM 2 VM n CPU Extensions - VMFUNC (low latency memory view switching). - Virtualization Exceptions (low latency memory monitoring). - … Memory Views Sandboxing Engine Sandboxing Engine
Addressing Evasion Challenges McAfee Confidential . 4 Malware Monitored API VM Tools OS 23 Intel CPUs Capabilites that can be enabled via hardware-enhanced introspection and family classification: 1. Hook-detection/skip avoidance. 2. Fingerprinting mitigation. 3. Kernel tamper detection. 4. User detection. 5. Latent behavior detection. 6. Timing virtualization. 1 2 3 VMM 6 Microsoft Windows/ Android VM1 5
McAfee Confidential . 24 Looking Ahead Concluding thoughts
McAfee Confidential . Future Directions and Research • Finer-grain memory monitoring CPU primitives. • Processor capabilities to detect/prevent malicious behavior via strong control-flow tracking. • Machine-learning techniques to automate deeper analysis. • Human interactivity modeling to expose latent code. • Exploration of native hardware sandbox to reduce malware evasion opportunities. 25
McAfee Confidential . Conclusion • Combination of behavior and family classification addresses gaps to detect advanced malware. • Hardware and software co-design to stay ahead of malware approaches. • Evolving the McAfee Advanced Threat Defense platform: • Software improvements via open hypervisors. • Hardware-based differentiation to improve analysis. • Ongoing research to stay ahead of evasion techniques. 26
McAfee Confidential . 27 Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2014 McAfee, Inc.

More Related Content

Detecting Evasive Malware in Sandbox

  • 1. Detecting Evasive Malware in the Sandbox—The Latest from McAfee and Intel Labs McAfee Confidential . Rahul Mohandas | Intel Security Ravi Sahita | Intel Labs
  • 2. McAfee Confidential . Speakers 2 Rahul Mohandas Research Manager Intel Security Ravi Sahita Principal Engineer Intel Labs
  • 3. McAfee Confidential . Agenda • Evolution of Targeted Malware Attacks and Defenses • Sandboxing Challenges • McAfee Advanced Threat Defense Technology • Use Cases: Sandbox Evasion • Platform Opportunities • Summary 3 McAfee, and the McAfee logo are registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2014 McAfee, Inc.
  • 4. Evolution of Malware Attacks and Defenses McAfee Confidential . How did we get here? 4 Reactive • md5/URL blacklists Proactive • Heuristics/ protocol analysis A large number of enterprises had breaches over the past year. What can be done to better protect the network against these cyberthreats? Predictive • Static/ behavioral and predictive analytics • Malware attribution Evolution of defenses shown as Attack [Defense]
  • 5. 15-AUG-2012 Shamoon SAFE SunShop JUN--2013 2010 2011 2012 2013 2014 McAfee Confidential APR-2014 . State of Targeted Attacks 5 Duqu Flame 02-MAY-2012 Gauss 01-JUN-2012 Mahdi VOHO 01-SEP-2011 JUL-2012 Beebus Ladyboyle MiniDuke Intel & McAfee Confidential RSA hack MAR-2011 FEB-2013 Naikon NetTraveler MAY--2013 30-MAY--2012 Gotham ZEGOST APR-2013 DeputyDog 19-AUG-2013 EvilGrab IceFog Kimsuky Guodl Taidoor The3bug Web2Crew DEC-2012 Project Blitzkrieg Shiqiang Quarian OCT-2013 AUG-2014 Havex Pittytiger July-2014 Intel Confidential -- Internal Use Only Quarian v2
  • 6. McAfee Confidential . Sandboxing Challenges 6 Evasion • Hook-detection/skipping. • Self/VM fingerprinting. • System tampering. • Interaction-based. • Latent behavior. • Timing analysis. • And so on …
  • 7. McAfee Confidential . 7 Advanced Threat Defense Technology Sandboxing approach and future challenges
  • 8. McAfee Confidential Sample Sample Sample VM1 VM2 VM N . McAfee Advanced Threat Defense • Using static and dynamically derived program behavior. • Provides advanced sandboxing capabilities: • Virtual CPUs. • Anti-anti-debugging. • Need to unpack to get to original executable code for analysis: • Detect variants. • Understand potential paths. • Provide unpacked code for further analysis. 8 VM 1 VM 2 VM N VMM
  • 9. Runtime DLLs Operations File Operations Operations Delayed Execution McAfee Confidential Unpacking Disassembly of Code Calculate Latent Code Familial Resemblance . Dynamic and Static Code Analysis 9 Analyze Analyze Network Process Dynamic Analysis Static Analysis
  • 10. McAfee Confidential . Sandbox Evasion 10 Advanced: inline assembly • Use assembly code to bypass hooks: • Replace sleep() with an induced delay loop. • Bypasses sandboxes that have default analysis timeouts. • Family classification to the rescue.
  • 11. McAfee Confidential . 11 Sandbox Evasion: Inline Assembly
  • 13. McAfee Confidential . Quarian Evolution: Timeline 13 Sample: ce1ef Similarity: 97% Prototype Added Similarity: 100% Sample: 1d6b587 Similarity: 83.54% Sample: c0e5746dd Similarity: 68.09% Sample: 93807cff6 Similarity: 68.18% Dec ’11 March ’12 Jan ’12 August ’13 July ’12 March ’14 Sample: f3862 Similarity: 66.72%
  • 14. McAfee Confidential . Sandbox Evasion 14 Quarian: AppId Check • APT actor active since 2011. • Checks presence of registry key, exits if not found. • Evades all known sandboxes relying on behavior only. • Detected by McAfee® Advanced Threat Defense using static code analysis.
  • 15. McAfee Confidential . 15 Quarian Evolution: Static Code Analysis
  • 16. McAfee Confidential . 16 Platform Opportunities Improving malware analysis
  • 17. McAfee Confidential . Improving Malware Sandbox: Goals 17 VMM VM1 Enhance Instrumentation to Observe Zero-Day/Obfuscated Behavior. VM 2 VM n • Memory access and execution analysis. • Kernel/user rootkit-like behavior. • API, control flow attacks. • Unpacking, de-obfuscating code. … without impacting analysis throughput Intel CPUs
  • 18. OS-Independent Behavioral Memory Monitoring McAfee Confidential DLL Code (RO) . CPU extended page tables (EPTs) as memory monitoring domains 18 VM0 CPU0 Hypervisor Intel® VT-x with EPT Extended Page Table (EPT) Domains EPT Walker Execution Crossing EPT Domains or Data Data (NP) host physical Accesses Cause Events. address Intel® Virtualization Technology for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x) Application Code/Data (RX/RW) DLL Code (RX) Application Code/Data (RO/NP) Data (RW) • Observe read, write, or execution from memory. • Critical data structure tracking. • Critical API execution tracking without circumvention.
  • 19. McAfee Confidential . Addressing Technical Challenges • Factors limiting memory monitoring: • Hardware context-switch time. • Filtering uninteresting events with minimal overhead: • Monitoring data accesses requires filtering due to 4,000 page sharing. • Analyzing execution patterns: • Without requiring single-stepping of all execution. 19
  • 20. Hardware-Accelerated Behavioral Memory Analysis • VM Function (VMFUNC) to switch EPTs or memory views without VMExits. • Virtualization Exceptions (#VE) to directly notify guest of EPT access violations without VMExits. McAfee Confidential . Minimize exposure of VMM to reduce malware evasion opportunities 20 CPU0 Hypervisor Intel® VT-x with EPT VM0 Extended Page Tables EPT Walker Report EPT violations via #VE. EPTP list is indexed by VMFUNC. Memory View 1 Memory View 2 VMFUNC Intel® Virtualization Technology for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x) #VE Physical pages
  • 21. McAfee Confidential . Accelerating Behavior-Induced Events 21 • Behavioral memory monitoring policies setup via EPT domains. • VMM opts in to convert induced EPT violation (observed events) to #VE. • Monitoring software can use VMFUNC to switch views in order to analyze memory accesses and continue sandboxed execution. VMM VM Sandbox VMFUNC VMFUNC EPT Domains Monitoring Service Monitored App 1. Handle #VE 3. Complete analysis WRITE Access Policy #VE #VE info EPT Domains Intel CPUs 2. Set up single step or emulate
  • 22. McAfee Confidential . Hardware Extensions for Improving Malware Sandbox 22 VMM w/ Introspection Extensions Intel CPUs Windows/ Android VM1 Enhanced Instrumentation to Observe Zero-Day/Obfuscated Behavior • Memory access and execution analysis. • Kernel/user rootkit behavior. • API, control flow attacks. • Unpacking, de-obfuscating code. Sandboxing Engine Memory Views Enhanced Sandboxing Processor Features Pass-Through VM 2 VM n CPU Extensions - VMFUNC (low latency memory view switching). - Virtualization Exceptions (low latency memory monitoring). - … Memory Views Sandboxing Engine Sandboxing Engine
  • 23. Addressing Evasion Challenges McAfee Confidential . 4 Malware Monitored API VM Tools OS 23 Intel CPUs Capabilites that can be enabled via hardware-enhanced introspection and family classification: 1. Hook-detection/skip avoidance. 2. Fingerprinting mitigation. 3. Kernel tamper detection. 4. User detection. 5. Latent behavior detection. 6. Timing virtualization. 1 2 3 VMM 6 Microsoft Windows/ Android VM1 5
  • 24. McAfee Confidential . 24 Looking Ahead Concluding thoughts
  • 25. McAfee Confidential . Future Directions and Research • Finer-grain memory monitoring CPU primitives. • Processor capabilities to detect/prevent malicious behavior via strong control-flow tracking. • Machine-learning techniques to automate deeper analysis. • Human interactivity modeling to expose latent code. • Exploration of native hardware sandbox to reduce malware evasion opportunities. 25
  • 26. McAfee Confidential . Conclusion • Combination of behavior and family classification addresses gaps to detect advanced malware. • Hardware and software co-design to stay ahead of malware approaches. • Evolving the McAfee Advanced Threat Defense platform: • Software improvements via open hypervisors. • Hardware-based differentiation to improve analysis. • Ongoing research to stay ahead of evasion techniques. 26
  • 27. McAfee Confidential . 27 Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2014 McAfee, Inc.

Editor's Notes

  1. Rahul works with the Advanced Threat Defense product development and research team. He brings over 10 years of security experience and specializes in APT detection and attribution. He holds two patents in the security space and has presented at security conferences around the world. Ravi Sahita is a security researcher at Intel Labs (Security & Privacy Research). He is working on CPU and software co-design techniques for computer security, with a focus on Virtualization. Ravi has developed the DeepSAFE* technology, and designed new CPU and firmware (Intel® AMT) features for system security.
  2. - * http://www.mcafee.com/in/resources/reports/rp-economic-impact-cybercrime2.pdf Increasing incidents of APT attacks year over year. Co-ordinated persistent threat actors Multi vector and multi staged attacks 85% increase in the growth of malware H1’13 vs H114 300k new samples every day Target breach 146 million - http://cir.ca/news/target-stores-hacking-investigation
  3. - * http://www.mcafee.com/in/resources/reports/rp-economic-impact-cybercrime2.pdf Increasing incidents of APT attacks year over year. Co-ordinated persistent threat actors Multi vector and multi staged attacks 85% increase in the growth of malware H1’13 vs H114 300k new samples every day Target breach 146 million - http://cir.ca/news/target-stores-hacking-investigation
  4. Hook-detection/skipping CwSandbox bypass Self/VM fingerprinting Vmware tools Kernel tampering Pushdo accesses PsCreateProcessNotifyRoutine to remove all registered callbacks; then can create and terminate processes without raising any red flags User detection UpClicker, a trojan analyzed in December 2012, was among the earliest-discovered malware samples that used mouse clicks to detect human activity* Latent behavior Trojan Nap, uncovered in February 2013 takes this approach* Execution after reboot Timing analysis Ref
  5. Hook-detection/skipping CwSandbox bypass Self/VM fingerprinting Vmware tools Kernel tampering Pushdo accesses PsCreateProcessNotifyRoutine to remove all registered callbacks; then can create and terminate processes without raising any red flags User detection UpClicker, a trojan analyzed in December 2012, was among the earliest-discovered malware samples that used mouse clicks to detect human activity* Latent behavior Trojan Nap, uncovered in February 2013 takes this approach* Execution after reboot Timing analysis Ref
  6. Hook-detection/skipping CwSandbox bypass Self/VM fingerprinting Vmware tools Kernel tampering Pushdo accesses PsCreateProcessNotifyRoutine to remove all registered callbacks; then can create and terminate processes without raising any red flags User detection UpClicker, a trojan analyzed in December 2012, was among the earliest-discovered malware samples that used mouse clicks to detect human activity* Latent behavior Trojan Nap, uncovered in February 2013 takes this approach* Execution after reboot Timing analysis Ref