SlideShare a Scribd company logo

Sandbox kiev

Download as PPTX, PDF
U
uisgslide

This document discusses using a cloud-based sandbox called SitC for malware analysis. It provides two use case examples of analyzing the CosmicDuke and Epic Turla advanced persistent threats. It then compares the report features of various sandbox solutions and provides sample SitC reports. It outlines the incident response workflow and technical requirements for deploying SitC. The document concludes that SitC could be useful for malware detection and analysis tasks and offers one of the most comprehensive reports currently available.

1 of 35
Malware Analysis with Sandbox email: alex.adamoff@gmail.com LinkedIn: https://ua.linkedin.com/in/alexanderadamov
About Author Alexander Adamov is a malware researcher and a security trainer with over nine years’ experience in the antivirus industry working for Kaspersky Lab and Lavasoft. Alexander is a university lecturer who develops new courses for EU universities and gives lectures and trainings in network security, reverse engineering, and malware analysis at the same time. At present he is running Cloud Sandbox startup.
Outline 1) Use Cases 2) Sandbox Intro 3) Sandbox Report 4) Features 5) Web Interface 6) Incident Response and Data Flow 7) Technical Requirements 8) Demo 9) Conclusions
USE CASES
Case 1: APT “CosmicDuke” Analysis APT* “CosmicDuke/MiniDuke” – July 2014 The malware can steal a variety of information, including files based on extensions and file name keywords: *.exe;*.ndb;*.mp3;*.avi;*.rar;*.docx;*.url;*.xlsx;*.pptx;*.ppsx;*.pst;*.ost;*psw*;*pass*; *login*;*admin*;*sifr*;*sifer*;*vpn;*.jpg;*.txt;*.lnk; *.dll;*.tmp;*.obj;*.ocx;*.js Also, the backdoor has many other capabilities including: – Keylogger – Skype password stealer – General network information harvester – Screen grabber (grabs images every 5 minutes) – Clipboard grabber (grabs clipboard contents every 30 seconds) – Microsoft Outlook, Windows Address Book stealer – Google Chrome password stealer – Google Talk password stealer – Opera password stealer – TheBat! password stealer – Firefox, Thunderbird password stealer – Drives/location/locale/installed software harvester – WiFi network/adapter information harvester – LSA secrets harvester – Protected Storage secrets harvester – Certificate/private keys exporter – URL History harvester – InteliForms secrets harvester – IE Autocomplete, Outlook Express secrets harvester – and more...
Example: “CosmicDuke” Builds • 7 builds per day in average • Spoofs legitimate Apps • Uses polymorphic encryption by UPolyXv05_v6 to harden AV detection.
Example: “CosmicDuke” Victims The victims of “CosmicDuke” fall into these categories: • government • diplomatic • energy • telecom operators • military, including military contractors • individuals involved in the traffic and selling of illegal and controlled substances
Analysis in Sandbox Old CosmicDuke 2013 Report: https://www.dropbox.com/s/avxyrtcdkqtaqfq/report_edf7a81dab0bf0520bfb8204a010b730.htm?dl=0 New CosmicDuke 2014: • NVIDIA WLMerger App Report: https://www.dropbox.com/s/41t111saz3jy5yl/report_1276d0aa5ad16fb57426be3050a9bb0b.htm?dl=0 • Adobe Acrobat Updater Report: https://www.dropbox.com/s/kvmp6rrc8f43s5t/report_d92faef56fa25120cb092f1b69838731.htm?dl=0 12 minutes
Case 2: APT “Epic Turla” Attack The attackers behind Epic Turla have infected several hundreds computers in more than 45 countries, including: • government institutions, • embassies, • military, • education, • research and pharmaceutical companies. “Epic Turla” – is a massive cyber-espionage operation.
Type of “Epic Turla” Attacks • Spearphishing e-mails with Adobe PDF exploits (CVE-2013- 3346 + CVE-2013-5065) • Social engineering to trick the user into running malware installers with ".SCR" extension, sometimes packed with RAR • Watering hole attacks using Java exploits (CVE-2012-1723), Flash exploits (unknown) or Internet Explorer 6,7,8 exploits (unknown) • Watering hole attacks that rely on social engineering to trick the user into running fake "Flash Player" malware installers. Watering Hole example: Infected Palestinian Authority Ministry of Foreign Affairs The attacks in this campaign fall into several different categories depending on the vector used in the initial compromise:
Analysis in Sandbox • Adobe PDF Exploits (Note_№107-41D.pdf CVE-2013-5065) Report: https://www.dropbox.com/s/6l25orn9nlgl6ea/report_6776bda19a3a8ed4c2870c34279dbaa9.htm – Dropped file (Epic/Tavdig/Wipbot backdoor): Report: https://www.dropbox.com/s/lqw3vvzeudyt4kq/report_111ed2f02d8af54d0b982d8c9dd4932e.htm • Spearphishing files: – NATO position on Syria.scr https://www.dropbox.com/s/6powxf2vo4y3fjp/4d667af648047f2bd24511ef8f36c9cc_report.htm • Dropped Epic/Tavdig/Wipbot backdoor: https://www.dropbox.com/s/citfclr08eul04x/report_ab686acde338c67bec8ab42519714273.htm • Turla Carbon package Report: https://www.dropbox.com/s/rivavmk8w2d56io/report_cb1b68d9971c2353c2d6a8119c49b51f.htm 20 minutes
Similar Solutions on the Market • Norman G2 Analyzer • ThreatAnalyzer (former GFI Sandbox, CWSandbox ) • Cuckoo Sandbox • VirusTotal online service • FireEye MAS • AlienVault Reputation Monitor • Kaspersky Application Advisor (Beta)
SANDBOX REPORT
A Comparison of Sandbox Reports - 1 Data Type Cuckoo Sandbox Norman G2 MalwareAnalyze r GFI/ ThreatTrack Sandbox VirusTotal ==SitC== Summary/File Details YES YES YES YES YES Static Analysis Dropped from no no no no YES Downloaded by no no no no YES Polymorphic no no no no YES PE Sections no no no YES YES VersionInfo no no no YES YES
A Comparison of Sandbox Reports - 2 Dynamic Analysis Cuckoo Sandbox Norman G2 MalwareAnaly zer GFI/ ThreatTrack Sandbox VirusTotal ==SitC== Payload=Behavior class no no no no YES Process activities YES YES YES YES YES File Activities YES YES YES no YES Registry activity YES YES YES no YES Rootkit activity no no no no YES Dropped PE Files YES no no no YES HOSTS file anomalies no no no no YES Propagation no no no no YES Named Objects (Mutexes, Events) YES YES YES YES YES
A Comparison of Sandbox Reports - 3 Network Activities Cuckoo Sandbox Norman G2 MalwareAnaly zer GFI/ ThreatTrack Sandbox VirusTotal ==SitC== URLs/DNS YES YES YES YES YES IDS Verdicts no no no YES YES Traffic no YES YES YES YES Detections Virus Total no YES YES YES YES Internal Verdicts - YES YES YES YES Yara YES no no YES YES Threat Type no no YES no YES Behavior class no no YES no YES Danger level no YES YES no no
A Comparison of Sandbox Reports - 4 Others Cuckoo Sandbox Norman G2 MalwareAnaly zer GFI/ ThreatTrack Sandbox VirusTotal ==SitC== Screenshot YES YES YES no YES Map no no no no YES Strings from dumps no no no no YES Removal Instructions no no no no YES Architecture Sandbox Hypervisor Type Ubuntu/Virtual Box IntelliVM - - VMWare ESX/Workstation Scalability no YES YES YES YES Custom sandbox instances YES YES YES - YES
A Comparison of Sandbox Reports - 5 User Interface Cuckoo Sandbox Norman G2 MalwareAnaly zer GFI/ ThreatTrack Sandbox VirusTotal ==SitC== UI Type Console (Python scripts) Web Web Web Web Dashboard No YES YES No No Queue Manager No YES YES No YES Report Type HTML PDF PDF Web report HTML/ PDF/Blog Sales Freeware Direct Direct Direct - Total number of “YES” 10 15 17 12 30
More Report Examples https://www.dropbox.com/s/kh7dm8rngokd2f6/7a500c46d62f6f39e4bb2716a323bc3 4_report.htm https://www.dropbox.com/s/rz7vzueqyxy53hy/e046da1b39202825155947371254a4e 6_report.htm https://www.dropbox.com/s/cl5h1fi91dkbt0d/e76d42578057862b5823ac926304cc22 _report.htm
VMRay Analyzer Source: http://www.vmray.com/vmray-analyzer-features/ Covers all kind of behavior • All kind of low-level control flow (API function calls, system calls, interrupts, APCs, DPCs, ..) • All kind of high-level semantics (filesystem, registry, network, user/group administration, ..) • Monitors user- and kernel-mode code • All process creation, code injection, and driver installation methods are tracked and detected • Layer7 protocols (HTTP, FTP, IRC, SMTP, DNS, …) are identified and parsed Comprehensive Data Collection • Enriched output with function prototype information, geoip lookup information, and process dependency graphs • Takes screenshots from running execution • Monitors network traffic and stores PCAP files • Detects and stores all files that are generated or modified by the malware
VMRay Analyzer Process dependency graphs
LastLine Source: http://advancedmalware.lastline.com/discovery-report-for- 2/21/2015-to-2/27/2015 Lastline Malware Risk Assessment
Sandbox Intro • Sandbox in-the-cloud (SitC) – is a new malware analysis system in the cloud for IS professionals and advanced users. • It allows to get a comprehensive analysis report in 4-5 minutes.
Integration to ISP Infrastructure
SANDBOX FEATURES
Sandbox Features • Get analysis report/verdict by hash/file. • Searching and tracking for analyzed malware samples. • Custom Yara rules are supported. • Analysis time ~4 min. • Scalable architecture (no limits in number of processing samples) under VMWare ESX. • Web interface • >5000 analyzed samples on 8 CPU cores (iCore7) daily.
Yara Rules are Supported • Add your own signature to detect files/memory dumps/traffic:
SANDBOX INTERFACE
Web Interface • Search by MD5 • Manual upload sample via the web form (high priority) • Stream analysis (low priority) • Advanced search in Sandbox database by time frame, verdicts, Yara rule, etc. • Report (HTML, PDF) can be sent by email.
INCIDENT RESPONSE AND DATA FLOW
Incident Response with SitC Detection Investigation Analysis Remediation Prevention Unknown threats can be sent for analysis to SitC as files or metadata when entering a trust perimeter. SitC can assign a severity level for a submitted threat, so the most critical ones will go to IRT immediately. Malware analysis takes ~4 mins. All malicious activities are presented in the SitC report, as well as removal recommendations. The removal script or tool can be generated in advance. SitC report contains information about propagation which helps understanding an attack vector.
Operational Modes 1. On-Demand Analysis (High Priority) – The user submits an object (file/traffic) via Web page which will be analyzed and kept on the storage. – The report will be generated and sent to a user’s email. – The user can choose type of a virtual machine (pre-defined) to be used for the analysis when submitting an object. 2. Stream Analysis (Low Priority) – The input object (file/traffic) can be also copied to the sandbox incoming folder and will be processed in automated way with low priority. – The user can get access to the analysis data saved on the storage to do extra analysis. – The user can search for already analyzed object by MD5 hash via Web page to get HTML report. 3. Sandbox Configuration – The user can insert new Yara rules via Web page to detect files/dumps/traffic.
Technical Requirements for SitC Deployment • VMWare ESXi Server 5.1 (free use up to 32 GB RAM): • 8 CPU cores • 16 Gb RAM • 4 Tb low speed HDD and 2 x SSD 120 GB • Internet access (so malware can connect to remote servers and download updates) • Incoming traffic (PE files, PCAP dumps) to the Sandbox • Remote access via vSphere to setup and control Sandbox • Sandbox server should be well isolated inside the local network to prevent unsolicited malware spreading.
DEMO • Cloud Sandbox Video – 2:38
Conclusions 1) SitC can be potentially used for: • Analysis and detection of malicious or suspicious files. • Analysis and detection of network traffic (PCAP). • Triggering for custom Indicators-of-Compromise (IoCs) using Yara. • Finding 0-day cyber attacks and APT (via traffic analysis). • Discovering infected hosts by malicious traffic (connections to C&C servers). 2) SitC prototype has the most comprehensive malware analysis report in the industry and we want to test it in real life environment.

More Related Content

Sandbox kiev

  • 1. Malware Analysis with Sandbox email: alex.adamoff@gmail.com LinkedIn: https://ua.linkedin.com/in/alexanderadamov
  • 2. About Author Alexander Adamov is a malware researcher and a security trainer with over nine years’ experience in the antivirus industry working for Kaspersky Lab and Lavasoft. Alexander is a university lecturer who develops new courses for EU universities and gives lectures and trainings in network security, reverse engineering, and malware analysis at the same time. At present he is running Cloud Sandbox startup.
  • 3. Outline 1) Use Cases 2) Sandbox Intro 3) Sandbox Report 4) Features 5) Web Interface 6) Incident Response and Data Flow 7) Technical Requirements 8) Demo 9) Conclusions
  • 5. Case 1: APT “CosmicDuke” Analysis APT* “CosmicDuke/MiniDuke” – July 2014 The malware can steal a variety of information, including files based on extensions and file name keywords: *.exe;*.ndb;*.mp3;*.avi;*.rar;*.docx;*.url;*.xlsx;*.pptx;*.ppsx;*.pst;*.ost;*psw*;*pass*; *login*;*admin*;*sifr*;*sifer*;*vpn;*.jpg;*.txt;*.lnk; *.dll;*.tmp;*.obj;*.ocx;*.js Also, the backdoor has many other capabilities including: – Keylogger – Skype password stealer – General network information harvester – Screen grabber (grabs images every 5 minutes) – Clipboard grabber (grabs clipboard contents every 30 seconds) – Microsoft Outlook, Windows Address Book stealer – Google Chrome password stealer – Google Talk password stealer – Opera password stealer – TheBat! password stealer – Firefox, Thunderbird password stealer – Drives/location/locale/installed software harvester – WiFi network/adapter information harvester – LSA secrets harvester – Protected Storage secrets harvester – Certificate/private keys exporter – URL History harvester – InteliForms secrets harvester – IE Autocomplete, Outlook Express secrets harvester – and more...
  • 6. Example: “CosmicDuke” Builds • 7 builds per day in average • Spoofs legitimate Apps • Uses polymorphic encryption by UPolyXv05_v6 to harden AV detection.
  • 7. Example: “CosmicDuke” Victims The victims of “CosmicDuke” fall into these categories: • government • diplomatic • energy • telecom operators • military, including military contractors • individuals involved in the traffic and selling of illegal and controlled substances
  • 8. Analysis in Sandbox Old CosmicDuke 2013 Report: https://www.dropbox.com/s/avxyrtcdkqtaqfq/report_edf7a81dab0bf0520bfb8204a010b730.htm?dl=0 New CosmicDuke 2014: • NVIDIA WLMerger App Report: https://www.dropbox.com/s/41t111saz3jy5yl/report_1276d0aa5ad16fb57426be3050a9bb0b.htm?dl=0 • Adobe Acrobat Updater Report: https://www.dropbox.com/s/kvmp6rrc8f43s5t/report_d92faef56fa25120cb092f1b69838731.htm?dl=0 12 minutes
  • 9. Case 2: APT “Epic Turla” Attack The attackers behind Epic Turla have infected several hundreds computers in more than 45 countries, including: • government institutions, • embassies, • military, • education, • research and pharmaceutical companies. “Epic Turla” – is a massive cyber-espionage operation.
  • 10. Type of “Epic Turla” Attacks • Spearphishing e-mails with Adobe PDF exploits (CVE-2013- 3346 + CVE-2013-5065) • Social engineering to trick the user into running malware installers with ".SCR" extension, sometimes packed with RAR • Watering hole attacks using Java exploits (CVE-2012-1723), Flash exploits (unknown) or Internet Explorer 6,7,8 exploits (unknown) • Watering hole attacks that rely on social engineering to trick the user into running fake "Flash Player" malware installers. Watering Hole example: Infected Palestinian Authority Ministry of Foreign Affairs The attacks in this campaign fall into several different categories depending on the vector used in the initial compromise:
  • 11. Analysis in Sandbox • Adobe PDF Exploits (Note_№107-41D.pdf CVE-2013-5065) Report: https://www.dropbox.com/s/6l25orn9nlgl6ea/report_6776bda19a3a8ed4c2870c34279dbaa9.htm – Dropped file (Epic/Tavdig/Wipbot backdoor): Report: https://www.dropbox.com/s/lqw3vvzeudyt4kq/report_111ed2f02d8af54d0b982d8c9dd4932e.htm • Spearphishing files: – NATO position on Syria.scr https://www.dropbox.com/s/6powxf2vo4y3fjp/4d667af648047f2bd24511ef8f36c9cc_report.htm • Dropped Epic/Tavdig/Wipbot backdoor: https://www.dropbox.com/s/citfclr08eul04x/report_ab686acde338c67bec8ab42519714273.htm • Turla Carbon package Report: https://www.dropbox.com/s/rivavmk8w2d56io/report_cb1b68d9971c2353c2d6a8119c49b51f.htm 20 minutes
  • 12. Similar Solutions on the Market • Norman G2 Analyzer • ThreatAnalyzer (former GFI Sandbox, CWSandbox ) • Cuckoo Sandbox • VirusTotal online service • FireEye MAS • AlienVault Reputation Monitor • Kaspersky Application Advisor (Beta)
  • 14. A Comparison of Sandbox Reports - 1 Data Type Cuckoo Sandbox Norman G2 MalwareAnalyze r GFI/ ThreatTrack Sandbox VirusTotal ==SitC== Summary/File Details YES YES YES YES YES Static Analysis Dropped from no no no no YES Downloaded by no no no no YES Polymorphic no no no no YES PE Sections no no no YES YES VersionInfo no no no YES YES
  • 15. A Comparison of Sandbox Reports - 2 Dynamic Analysis Cuckoo Sandbox Norman G2 MalwareAnaly zer GFI/ ThreatTrack Sandbox VirusTotal ==SitC== Payload=Behavior class no no no no YES Process activities YES YES YES YES YES File Activities YES YES YES no YES Registry activity YES YES YES no YES Rootkit activity no no no no YES Dropped PE Files YES no no no YES HOSTS file anomalies no no no no YES Propagation no no no no YES Named Objects (Mutexes, Events) YES YES YES YES YES
  • 16. A Comparison of Sandbox Reports - 3 Network Activities Cuckoo Sandbox Norman G2 MalwareAnaly zer GFI/ ThreatTrack Sandbox VirusTotal ==SitC== URLs/DNS YES YES YES YES YES IDS Verdicts no no no YES YES Traffic no YES YES YES YES Detections Virus Total no YES YES YES YES Internal Verdicts - YES YES YES YES Yara YES no no YES YES Threat Type no no YES no YES Behavior class no no YES no YES Danger level no YES YES no no
  • 17. A Comparison of Sandbox Reports - 4 Others Cuckoo Sandbox Norman G2 MalwareAnaly zer GFI/ ThreatTrack Sandbox VirusTotal ==SitC== Screenshot YES YES YES no YES Map no no no no YES Strings from dumps no no no no YES Removal Instructions no no no no YES Architecture Sandbox Hypervisor Type Ubuntu/Virtual Box IntelliVM - - VMWare ESX/Workstation Scalability no YES YES YES YES Custom sandbox instances YES YES YES - YES
  • 18. A Comparison of Sandbox Reports - 5 User Interface Cuckoo Sandbox Norman G2 MalwareAnaly zer GFI/ ThreatTrack Sandbox VirusTotal ==SitC== UI Type Console (Python scripts) Web Web Web Web Dashboard No YES YES No No Queue Manager No YES YES No YES Report Type HTML PDF PDF Web report HTML/ PDF/Blog Sales Freeware Direct Direct Direct - Total number of “YES” 10 15 17 12 30
  • 20. VMRay Analyzer Source: http://www.vmray.com/vmray-analyzer-features/ Covers all kind of behavior • All kind of low-level control flow (API function calls, system calls, interrupts, APCs, DPCs, ..) • All kind of high-level semantics (filesystem, registry, network, user/group administration, ..) • Monitors user- and kernel-mode code • All process creation, code injection, and driver installation methods are tracked and detected • Layer7 protocols (HTTP, FTP, IRC, SMTP, DNS, …) are identified and parsed Comprehensive Data Collection • Enriched output with function prototype information, geoip lookup information, and process dependency graphs • Takes screenshots from running execution • Monitors network traffic and stores PCAP files • Detects and stores all files that are generated or modified by the malware
  • 23. Sandbox Intro • Sandbox in-the-cloud (SitC) – is a new malware analysis system in the cloud for IS professionals and advanced users. • It allows to get a comprehensive analysis report in 4-5 minutes.
  • 24. Integration to ISP Infrastructure
  • 26. Sandbox Features • Get analysis report/verdict by hash/file. • Searching and tracking for analyzed malware samples. • Custom Yara rules are supported. • Analysis time ~4 min. • Scalable architecture (no limits in number of processing samples) under VMWare ESX. • Web interface • >5000 analyzed samples on 8 CPU cores (iCore7) daily.
  • 27. Yara Rules are Supported • Add your own signature to detect files/memory dumps/traffic:
  • 29. Web Interface • Search by MD5 • Manual upload sample via the web form (high priority) • Stream analysis (low priority) • Advanced search in Sandbox database by time frame, verdicts, Yara rule, etc. • Report (HTML, PDF) can be sent by email.
  • 31. Incident Response with SitC Detection Investigation Analysis Remediation Prevention Unknown threats can be sent for analysis to SitC as files or metadata when entering a trust perimeter. SitC can assign a severity level for a submitted threat, so the most critical ones will go to IRT immediately. Malware analysis takes ~4 mins. All malicious activities are presented in the SitC report, as well as removal recommendations. The removal script or tool can be generated in advance. SitC report contains information about propagation which helps understanding an attack vector.
  • 32. Operational Modes 1. On-Demand Analysis (High Priority) – The user submits an object (file/traffic) via Web page which will be analyzed and kept on the storage. – The report will be generated and sent to a user’s email. – The user can choose type of a virtual machine (pre-defined) to be used for the analysis when submitting an object. 2. Stream Analysis (Low Priority) – The input object (file/traffic) can be also copied to the sandbox incoming folder and will be processed in automated way with low priority. – The user can get access to the analysis data saved on the storage to do extra analysis. – The user can search for already analyzed object by MD5 hash via Web page to get HTML report. 3. Sandbox Configuration – The user can insert new Yara rules via Web page to detect files/dumps/traffic.
  • 33. Technical Requirements for SitC Deployment • VMWare ESXi Server 5.1 (free use up to 32 GB RAM): • 8 CPU cores • 16 Gb RAM • 4 Tb low speed HDD and 2 x SSD 120 GB • Internet access (so malware can connect to remote servers and download updates) • Incoming traffic (PE files, PCAP dumps) to the Sandbox • Remote access via vSphere to setup and control Sandbox • Sandbox server should be well isolated inside the local network to prevent unsolicited malware spreading.
  • 34. DEMO • Cloud Sandbox Video – 2:38
  • 35. Conclusions 1) SitC can be potentially used for: • Analysis and detection of malicious or suspicious files. • Analysis and detection of network traffic (PCAP). • Triggering for custom Indicators-of-Compromise (IoCs) using Yara. • Finding 0-day cyber attacks and APT (via traffic analysis). • Discovering infected hosts by malicious traffic (connections to C&C servers). 2) SitC prototype has the most comprehensive malware analysis report in the industry and we want to test it in real life environment.

Editor's Notes

  1. *APT – Advanced Persistent Threat Source: http://securelist.com/blog/incidents/64107/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/
  2. Source: http://securelist.com/blog/incidents/64107/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/
  3. Source: http://securelist.com/blog/incidents/64107/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/
  4. Source: http://securelist.com/analysis/publications/65545/the-epic-turla-operation/
  5. Source: http://securelist.com/analysis/publications/65545/the-epic-turla-operation/
  6. SitC ver 1.0 UI: Dashboard, report format, scheduler, queue manager, etc. UI Type: Standalone App, Web UI. How they sell products.
  7. SitC ver 1.0 UI: Dashboard, report format, scheduler, queue manager, etc. UI Type: Standalone App, Web UI. How they sell products.
  8. https://www.brighttalk.com/webcast/8303/81677 Old comment: Example with SitC on board: AV detection (Quarantine)->Analyze and find all downloaded/dropped files not detected-> !!!!Use case: Classic vs. SitC.