This presentation talk about some of the challenges in detecting advanced malware which uses evasion techniques such as inline assembly or previously unknown approaches. The presentation also focuses on leveraging the static code analysis as an opportunity to detect these evasive malware in the sandbox
Report
Share
Report
Share
1 of 27
More Related Content
Detecting Evasive Malware in Sandbox
1. Detecting Evasive Malware in
the Sandbox—The Latest from
McAfee and Intel Labs
McAfee Confidential
.
Rahul Mohandas | Intel Security
Ravi Sahita | Intel Labs
2. McAfee Confidential
.
Speakers
2
Rahul Mohandas
Research Manager
Intel Security
Ravi Sahita
Principal Engineer
Intel Labs
4. Evolution of Malware Attacks and Defenses
McAfee Confidential
.
How did we get here?
4
Reactive
• md5/URL
blacklists
Proactive
• Heuristics/
protocol
analysis
A large number of enterprises had breaches over the past year.
What can be done to better protect the network against these
cyberthreats?
Predictive
• Static/
behavioral
and
predictive
analytics
• Malware
attribution
Evolution of defenses shown as
Attack [Defense]
8. McAfee Confidential
Sample Sample Sample
VM1 VM2 VM N
.
McAfee Advanced Threat Defense
• Using static and dynamically derived program
behavior.
• Provides advanced sandboxing capabilities:
• Virtual CPUs.
• Anti-anti-debugging.
• Need to unpack to get to original executable
code for analysis:
• Detect variants.
• Understand potential paths.
• Provide unpacked code for further analysis.
8
VM 1 VM 2 VM N
VMM
10. McAfee Confidential
.
Sandbox Evasion
10
Advanced: inline assembly
• Use assembly code to bypass hooks:
• Replace sleep() with an induced delay loop.
• Bypasses sandboxes that have default analysis
timeouts.
• Family classification to the rescue.
13. McAfee Confidential
.
Quarian Evolution: Timeline
13
Sample: ce1ef
Similarity: 97%
Prototype Added
Similarity: 100%
Sample: 1d6b587
Similarity: 83.54%
Sample: c0e5746dd
Similarity: 68.09%
Sample: 93807cff6
Similarity: 68.18%
Dec ’11
March ’12
Jan ’12
August ’13
July ’12
March ’14
Sample: f3862
Similarity: 66.72%
14. McAfee Confidential
.
Sandbox Evasion
14
Quarian: AppId Check
• APT actor active since 2011.
• Checks presence of registry key, exits if
not found.
• Evades all known sandboxes relying on
behavior only.
• Detected by McAfee® Advanced Threat
Defense using static code analysis.
17. McAfee Confidential
.
Improving Malware Sandbox: Goals
17
VMM
VM1
Enhance Instrumentation to Observe
Zero-Day/Obfuscated Behavior.
VM 2 VM n • Memory access and execution analysis.
• Kernel/user rootkit-like behavior.
• API, control flow attacks.
• Unpacking, de-obfuscating code.
… without impacting analysis throughput
Intel CPUs
18. OS-Independent Behavioral Memory Monitoring
McAfee Confidential
DLL
Code (RO)
.
CPU extended page tables (EPTs) as memory monitoring domains
18
VM0
CPU0
Hypervisor
Intel® VT-x with EPT
Extended Page Table
(EPT) Domains
EPT
Walker
Execution Crossing
EPT Domains or Data
Data
(NP)
host physical Accesses Cause Events.
address
Intel® Virtualization Technology for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x)
Application
Code/Data
(RX/RW)
DLL
Code (RX)
Application
Code/Data
(RO/NP)
Data
(RW)
• Observe read, write, or execution
from memory.
• Critical data structure tracking.
• Critical API execution tracking
without circumvention.
19. McAfee Confidential
.
Addressing Technical Challenges
• Factors limiting memory monitoring:
• Hardware context-switch time.
• Filtering uninteresting events with minimal overhead:
• Monitoring data accesses requires filtering due to 4,000 page sharing.
• Analyzing execution patterns:
• Without requiring single-stepping of all execution.
19
20. Hardware-Accelerated Behavioral Memory Analysis
• VM Function (VMFUNC) to switch EPTs or
memory views without VMExits.
• Virtualization Exceptions (#VE) to directly
notify guest of EPT access violations
without VMExits.
McAfee Confidential
.
Minimize exposure of VMM to reduce malware evasion opportunities
20
CPU0
Hypervisor
Intel® VT-x with EPT
VM0
Extended
Page Tables
EPT
Walker
Report EPT violations via #VE.
EPTP list is indexed
by VMFUNC.
Memory
View 1
Memory
View 2
VMFUNC
Intel® Virtualization Technology for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x)
#VE
Physical pages
21. McAfee Confidential
.
Accelerating Behavior-Induced Events
21
• Behavioral memory monitoring policies setup
via EPT domains.
• VMM opts in to convert induced EPT violation
(observed events) to #VE.
• Monitoring software can use VMFUNC to
switch views in order to analyze memory
accesses and continue sandboxed execution.
VMM
VM Sandbox
VMFUNC
VMFUNC
EPT Domains
Monitoring
Service
Monitored
App
1. Handle #VE
3. Complete analysis
WRITE
Access
Policy
#VE
#VE info
EPT Domains
Intel CPUs
2. Set up single
step or emulate
22. McAfee Confidential
.
Hardware Extensions for Improving Malware Sandbox
22
VMM
w/ Introspection Extensions
Intel CPUs
Windows/
Android VM1
Enhanced Instrumentation to Observe
Zero-Day/Obfuscated Behavior
• Memory access and execution analysis.
• Kernel/user rootkit behavior.
• API, control flow attacks.
• Unpacking, de-obfuscating code.
Sandboxing
Engine
Memory
Views
Enhanced Sandboxing
Processor Features Pass-Through
VM 2 VM n
CPU Extensions
- VMFUNC (low latency memory view switching).
- Virtualization Exceptions (low latency memory monitoring).
- …
Memory
Views
Sandboxing
Engine
Sandboxing
Engine
23. Addressing Evasion Challenges
McAfee Confidential
.
4
Malware
Monitored API
VM Tools OS
23
Intel CPUs
Capabilites that can be enabled via
hardware-enhanced introspection and family
classification:
1. Hook-detection/skip avoidance.
2. Fingerprinting mitigation.
3. Kernel tamper detection.
4. User detection.
5. Latent behavior detection.
6. Timing virtualization.
1
2 3
VMM
6
Microsoft
Windows/
Android VM1
5
25. McAfee Confidential
.
Future Directions and Research
• Finer-grain memory monitoring CPU primitives.
• Processor capabilities to detect/prevent malicious
behavior via strong control-flow tracking.
• Machine-learning techniques to automate deeper analysis.
• Human interactivity modeling to expose latent code.
• Exploration of native hardware sandbox to
reduce malware evasion opportunities.
25
26. McAfee Confidential
.
Conclusion
• Combination of behavior and family classification addresses gaps to
detect advanced malware.
• Hardware and software co-design to stay ahead of malware
approaches.
• Evolving the McAfee Advanced Threat Defense platform:
• Software improvements via open hypervisors.
• Hardware-based differentiation to improve analysis.
• Ongoing research to stay ahead of evasion techniques.
26
Rahul works with the Advanced Threat Defense product development and research team. He brings over 10 years of security experience and specializes in APT detection and attribution. He holds two patents in the security space and has presented at security conferences around the world.
Ravi Sahita is a security researcher at Intel Labs (Security & Privacy Research). He is working on CPU and software co-design techniques for computer security, with a focus on Virtualization. Ravi has developed the DeepSAFE* technology, and designed new CPU and firmware (Intel® AMT) features for system security.
- * http://www.mcafee.com/in/resources/reports/rp-economic-impact-cybercrime2.pdf
Increasing incidents of APT attacks year over year.
Co-ordinated persistent threat actors
Multi vector and multi staged attacks
85% increase in the growth of malware H1’13 vs H114
300k new samples every day
Target breach 146 million - http://cir.ca/news/target-stores-hacking-investigation
- * http://www.mcafee.com/in/resources/reports/rp-economic-impact-cybercrime2.pdf
Increasing incidents of APT attacks year over year.
Co-ordinated persistent threat actors
Multi vector and multi staged attacks
85% increase in the growth of malware H1’13 vs H114
300k new samples every day
Target breach 146 million - http://cir.ca/news/target-stores-hacking-investigation
Hook-detection/skipping
CwSandbox bypass
Self/VM fingerprinting
Vmware tools
Kernel tampering
Pushdo accesses PsCreateProcessNotifyRoutine to remove all registered callbacks; then can create and terminate processes without raising any red flags
User detection
UpClicker, a trojan analyzed in December 2012, was among the earliest-discovered malware samples that used mouse clicks to detect human activity*
Latent behavior
Trojan Nap, uncovered in February 2013 takes this approach*
Execution after reboot
Timing analysis
Ref
Hook-detection/skipping
CwSandbox bypass
Self/VM fingerprinting
Vmware tools
Kernel tampering
Pushdo accesses PsCreateProcessNotifyRoutine to remove all registered callbacks; then can create and terminate processes without raising any red flags
User detection
UpClicker, a trojan analyzed in December 2012, was among the earliest-discovered malware samples that used mouse clicks to detect human activity*
Latent behavior
Trojan Nap, uncovered in February 2013 takes this approach*
Execution after reboot
Timing analysis
Ref
Hook-detection/skipping
CwSandbox bypass
Self/VM fingerprinting
Vmware tools
Kernel tampering
Pushdo accesses PsCreateProcessNotifyRoutine to remove all registered callbacks; then can create and terminate processes without raising any red flags
User detection
UpClicker, a trojan analyzed in December 2012, was among the earliest-discovered malware samples that used mouse clicks to detect human activity*
Latent behavior
Trojan Nap, uncovered in February 2013 takes this approach*
Execution after reboot
Timing analysis
Ref