![Page 1: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/1.jpg)
Sandbox detection: leak, abuse, test
In cooperation with CrySyS lab, Budapest
2015
![Page 2: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/2.jpg)
root@kali:~# whoami
Zoltán Balázs
![Page 3: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/3.jpg)
root@kali:~# whoami
![Page 4: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/4.jpg)
root@kali:~# whoami
I’m NOT a CEH
Creator of the Zombie Browser Toolkithttps://github.com/Z6543/ZombieBrowserPack
Creator of the HWFW Bypass tool • Idea later(?) implemented by nation state attackers in Duqu 2.0
https://github.com/MRGEffitas/hwfwbypass
Invented the idea of encrypted exploit delivery via Diffie-Hellman key exchange, to bypass exploit detection appliances• Recently implemented by Angler and Nuclear exploit kit
developers
![Page 5: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/5.jpg)
I love hacking
![Page 6: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/6.jpg)
Fun “CYBER” game – win a beerFind one of the following words on the slides, or in a picture, and shout it• Cyberattack• Cyberbank• Cybereye• Cybershima• Cyberphobia
• Cybercloud• Cybergeddon• Cyberwarrior• Cybercompliance• Cybercyber• Cyberhacker• CyberCISO• CyberBYOD
![Page 7: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/7.jpg)
How may I help you?Are you writing a malware during pentest?Are you developing a new malware analysis sandbox?Are you analyzing malware and don’t know why it is not running on your sandbox?Are you testing malware analysis sandboxes, because you want to buy one?Are you bored and just want to watch a fun presentation?
![Page 8: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/8.jpg)
Current malware analysisStatic automated – malware is not started• Easy to bypass
Dynamic automated – malware is started• This presentation is about this type of
analysisManual• Hard to keep up with daily 200 000 new
samples• Analysis can take days, even weeks
![Page 9: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/9.jpg)
This is not the sandbox I am talking about today
![Page 10: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/10.jpg)
This is still not the sandbox I will talk about today
![Page 11: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/11.jpg)
This is the sandbox I want to talk aboutMalware analysis sandboxBreach detection systemA(dvanced) P(ersistent) T(hreats) detectorMalware ????? alert/report
@norsec0de
![Page 12: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/12.jpg)
What is my problem with these super cool sandboxes?The problem is sometimes the
marketing departmentpricereal value
There are exceptions
![Page 13: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/13.jpg)
New anti APT tools are no silver bullets
http://bit.ly/1zZJkth
![Page 14: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/14.jpg)
How much $ £ ¥ € does it costs?10 000 USD - 350 000 USD+ yearly maintenance up to 100 000 USD
You can buy this “company car” for the same price:
![Page 15: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/15.jpg)
Let’s meet the hero of the hour, Trevor the CISO at ACME Co.
![Page 16: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/16.jpg)
The Trevor dilemmaTrevor wants to protect the network against malwareVendor 1: “We detected the most 0-day exploits last year”Vendor 2: “We are the most expensive, so we are the best”Vendor 3: “We are the cheapest so you can be compliant, and save money”Vendor 4: “Come with us to the strip-club, we pay”Car Vendor 1: “The new model is out, what a nice company car”
![Page 17: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/17.jpg)
What should Trevor do?
![Page 18: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/18.jpg)
What about testing the sandbox?There are thousands of aspects of how Trevor can test a malware analysis sandboxAttackers pentesters deploy anti sandbox solutionsOne part of the test is to check anti anti sandbox solutions implemented in the sandbox• If a lame common malware can evade the
dynamic analysis, the solution won’t protect Trevor against (advanced?) targeted attacks
![Page 19: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/19.jpg)
Why attackers pentesters evade dynamic analysis via hiding in the shadows?Long engagement
• The malware test doesn’t get busted on day one
Code reuse in new engagements
• You don’t have to reinvent the wheel every time for a new project
![Page 20: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/20.jpg)
![Page 21: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/21.jpg)
![Page 22: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/22.jpg)
![Page 23: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/23.jpg)
What’s wrong with the current sandbox detection techniques?Too much focus on virtualization• but handy in targeted attacks!More and more legitimate targets in virtualized environments• but not the CEO on the roadMethods already known and flagged as malicious• VmWare IO portsMethods already known, defeated and flagged• ProductID
![Page 24: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/24.jpg)
Workstation disguised as a VM
![Page 25: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/25.jpg)
![Page 26: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/26.jpg)
VMWare: SELECT SerialNumber FROM Win32_BiosVirtualBox: Select DeviceID from Win32_PnPEntityVirtualbox detection technique defeated by Tsugumi from VBoxHardenedLoader
How Hacking Team malware evades detection when #YourBoySerge is not around
![Page 27: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/27.jpg)
![Page 28: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/28.jpg)
No live demo, Serge is not around to help
![Page 29: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/29.jpg)
How to interpret resultsBoth “probability of busted” and “sandbox detection effectiveness” is measured Good sandbox detection effectiveness, easily flagged as malicious
Normal effectiveness, possible flagged
Hard to get flagged as malicious not effective
![Page 30: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/30.jpg)
Screen resolution
Pro tipCan be used in exploit kits, before exploitHow many people browse the web with 800*600, or even 1024*768?Are these people your target?
JavaScriptscreen.width, screen.height works in almost all browser, except Tor browser
![Page 31: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/31.jpg)
Screen resolution43%:1024x768 – this is a problem36%:800x600 – this is an even bigger problem
640x480 – this is just LOL1024x6971280x8001280x9601680x10501916x1066
![Page 32: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/32.jpg)
Installed softwarePython 2.5.1TracerPHP 5.3.8Python winappdbg 1 4Debugging Tools for Windows x86Python winappdbg 1 4Strawberry PerlVMware ToolsVEware Tools
![Page 33: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/33.jpg)
Running processes on sandboxesC:\SandCastle\tools\• FakeServer.exe• FakeHTTPServer\FakeHTTPServer.exe• BehaviorDumper.exe
C:\Python27\python.exeC:\tsl\RaptorClient.exeC:\mapp_start_folder\snowball.exe > the sample renamedC:\tools\dumper.exeC:\VxStream\StaticStreamMgr.exe
![Page 34: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/34.jpg)
CPU typeAMD Opteron tm Processor 3365 – server AMD Phenom tm 9550 Quad Core Processor – server Intel Pentium III Xeon processor – serverIntel R Xeon R CPU E5 2620 0 2 00GHz - serverIntel Pentium Pro processor - ??? Intel Pentium II processor - ??? Intel R Atom TM CPU D525 1 80GHz – desktopIntel R Core TM 2 Duo CPU T7700 2 40GHz – desktop
![Page 35: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/35.jpg)
CPU 2Most of the time:• Number of Cores 1
Rarely seen in sandboxes:• Number of Cores 2• Number of Cores 4 (Sandbox in Ukraine)
![Page 36: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/36.jpg)
Computer system – which one can be your real target (e.g. CEO)BochsVirtualBoxVMware Virtual PlatformKVMX7SPT DF – Supermicro Server PlatformMYTUAL MYVTUAL PlatformOptiPlex 990 – Dell desktop4287A72 – ThinkpadP5Q SE – Asus desktop68% Virtualized, 18% desktop, 14% server
![Page 37: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/37.jpg)
Mouse80% no mouse movement20% mouse moved
X:0 Y:0X:400 Y:300X:600 Y:600
![Page 38: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/38.jpg)
Memory size133 730 304133 734 400267 894 784267 952 128536 330 240536 403 968804 765 696
804 818 9441 073 201 1521 073 274 8801 073 328 1283 219 877 8884 293 337 0884 294 500 352
![Page 39: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/39.jpg)
Machine nameAntony PCC2F3F0B206C14E9CWS01_23David PCGOAT WXPSP2BGT FDCCD9A7405DHOMEHOME OFF D5F0ACKlone PCCyberEye
Machine name as a white-list can be powerful
PSPUBWS PCPUBLIC EA8367E7RON AC13BF686B1ROOT DSANDBOXATESPC0test PCUSER201USERDOMAIN vwinxp maltestWILBERT SC1317
![Page 40: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/40.jpg)
![Page 41: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/41.jpg)
![Page 42: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/42.jpg)
![Page 43: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/43.jpg)
Real “user” desktop, busy workingScreenshots from torrent Hacked Team c.pozzi\screenshots
![Page 44: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/44.jpg)
USB Flash DriveUsually:• no pendrive
Rarely seen:• 128MB USB2 0FlashDrive USB Device• IPMI Virtual CDROM USB Device• Kingston DataTraveler 2 0 USB Device
![Page 45: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/45.jpg)
PrinterThe only printers in sandboxes:• Default Windows printers• Adobe• Office (Sendnote)
![Page 46: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/46.jpg)
Not effectiveDetect usermode hooking:
• DeleteFileW• RegOpenKeyExA
Connect to local port 445Click on messageboxBIOS version
![Page 47: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/47.jpg)
Recently modified/created filesBased on the folder you are looking at (Desktop, Documents, Appdata, Temp, …)• it is usually less than 3 on sandboxes• a lot more than 3 on desktops
Slow
![Page 48: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/48.jpg)
Client IP and reverse DNSSee http://avtracker.info/Magnitude exploit kit:
• “The code searches the "banlist" database table for the victim's source IP address. This table contains about 1,400 IP range records belonging to several high profile companies”
• Banbyhostname() searches for the presence of the following words in the victim's hostname: "whois", "proxy", "yahoo", "opera", ".mil", ".gov", "google", "demon", "localhost", "dedicated", "hosting", "leaseweb", "cisco" and "bot".
• https://www.trustwave.com/Resources/SpiderLabs Blog
![Page 49: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/49.jpg)
Where to implement these sandbox detection methods?1. Automated decision, in the malware• Pro – no info leak about C&C• Con – not everything can be implemented here
2. Automated, on the C&C server• Pro – lot more possibilities• Con – C&C server info leaked
3. Manually, info from the C&C server• Pro – powerful e.g. analyze desktop screenshot• Con – expensive
Best approach• Use all three layers, stop execution at first detection
![Page 50: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/50.jpg)
Know your victimAre you attacking desktop users but malware starts on XEON processors?Are you targeting a CEO and runs on Pentium II with 128 MByte memory?Desktop user having no printers installed?Desktop user never used USB flash drives?OS uptime is 1 minute?
![Page 51: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/51.jpg)
The hard problems – Part 1Is sleep function simulated?
• No (89%)• Sleep for a certain amount of time• Reach timeout limit (5 minutes)• PROFIT
• Yes (11%)• Easy to detect• Detect it and quit• PROFIT
Solution:• Continuous sandboxing
![Page 52: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/52.jpg)
The hard problems – Part 2Network connectionIs there a HTTP connection to the Internet (directly or proxy)?
• Yes• Leak some data – e.g. multiple screenshots• Decide on server side• PROFIT
• No• If you don’t target airgapped machines, it’s safe to quit• PROFIT
• There is one, but it is emulated• Detect it by downloading a known object• Calculate hash• Compare• PROFIT
![Page 53: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/53.jpg)
My lessons learnedCreating an executable which runs on every malware analysis sandbox is a lot harder than expected
• Even when the sample runs on WinXPSp2 – Win8.1 x64Size limitations
• free sandboxes 5 MbyteSandbox does not follow child process
• sometimesOnly one thread executed
• was this a manual analysis?Unknown crash
• For unknown reason
![Page 54: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/54.jpg)
Lessons learnedMalware writers (penetration testers)
• It is incredibly easy to evade static and dynamic analysis• Manual analysis is hard (or impossible) to defeat
• But possible with lot of samples and new tricks on the long run!
Sandbox developers• If you are selling your sandbox for $$$, try harder• Dump a real user workstation and keep updated with user
behavior• It is hard to do it right, but easy to do it wrong
Blue team/defensive side• Test your sandbox before buying• Customize your sandbox to match your desktops• Don’t trust the marketing/sales department• There are some good sandboxes out there!
![Page 55: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/55.jpg)
After a good test, Trevor can choose wisely
![Page 56: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/56.jpg)
Code release now?
![Page 57: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/57.jpg)
The basicshttps://github.com/hfiref0x/VMDEhttps://github.com/hfiref0x/VBoxHardenedLoaderhttp://www.kernelmode.info/forum/viewtopic.php?f=11&t=1911http://blog.michaelboman.org/2014/01/making virtualbox nearly undetectable.htmlhttps://github.com/wmetcalf/buildcuckoo trustyhttp://avtracker.info/http://jbremer.org/vmcloak2/https://www.youtube.com/watch?v=Ez_Gl5D_BV0https://github.com/Yara-Rules/rules/blob/master/antidebug.yar
![Page 58: Sandbox detection: leak, abuse, test - Hacktivity 2015](https://reader034.vdocuments.net/reader034/viewer/2022052606/58abf0bf1a28ab504e8b655d/html5/thumbnails/58.jpg)
Hack the planet! One computer at a time …
https://github.com/MRGEffitas/Sandbox_tester
https://hu.linkedin.com/in/zbalazs
Twitter – @zh4ck
www.slideshare.net/bz98
Greetz to @CrySySLab, @SpamAndHex
JumpESPJump.blogspot.com