Download - Sandbox kiev
Malware Analysis with Sandbox
email: [email protected]
LinkedIn: https://ua.linkedin.com/in/alexanderadamov
About Author
Alexander Adamov is a malware researcher and a security trainer with over nine years’ experience in the antivirus industry working for Kaspersky Lab and Lavasoft.
Alexander is a university lecturer who develops new courses for EU universities and gives lectures and trainings in network security, reverse engineering, and malware analysis at the same time.
At present he is running Cloud Sandbox startup.
Outline
1) Use Cases2) Sandbox Intro3) Sandbox Report4) Features5) Web Interface6) Incident Response and Data Flow7) Technical Requirements8) Demo9) Conclusions
USE CASES
Case 1: APT “CosmicDuke” AnalysisAPT* “CosmicDuke/MiniDuke” – July 2014The malware can steal a variety of information, including files based on extensions and file name keywords:
*.exe;*.ndb;*.mp3;*.avi;*.rar;*.docx;*.url;*.xlsx;*.pptx;*.ppsx;*.pst;*.ost;*psw*;*pass*;*login*;*admin*;*sifr*;*sifer*;*vpn;*.jpg;*.txt;*.lnk; *.dll;*.tmp;*.obj;*.ocx;*.js
Also, the backdoor has many other capabilities including:– Keylogger– Skype password stealer– General network information harvester– Screen grabber (grabs images every 5 minutes)– Clipboard grabber (grabs clipboard contents every 30 seconds)– Microsoft Outlook, Windows Address Book stealer– Google Chrome password stealer– Google Talk password stealer– Opera password stealer– TheBat! password stealer– Firefox, Thunderbird password stealer– Drives/location/locale/installed software harvester– WiFi network/adapter information harvester– LSA secrets harvester– Protected Storage secrets harvester– Certificate/private keys exporter– URL History harvester– InteliForms secrets harvester– IE Autocomplete, Outlook Express secrets harvester– and more...
Example: “CosmicDuke” Builds
• 7 builds per day in average
• Spoofs legitimate Apps
• Uses polymorphic encryption by UPolyXv05_v6 to harden AV detection.
Example: “CosmicDuke” Victims
The victims of “CosmicDuke” fall into these categories:
• government
• diplomatic
• energy
• telecom operators
• military, including military contractors
• individuals involved in the traffic and selling of illegal and controlled
substances
Analysis in Sandbox
Old CosmicDuke 2013 Report: https://www.dropbox.com/s/avxyrtcdkqtaqfq/report_edf7a81dab0bf0520bfb8204a010b730.htm?dl=0
New CosmicDuke 2014:• NVIDIA WLMerger App Report: https://www.dropbox.com/s/41t111saz3jy5yl/report_1276d0aa5ad16fb57426be3050a9bb0b.htm?dl=0
• Adobe Acrobat Updater Report: https://www.dropbox.com/s/kvmp6rrc8f43s5t/report_d92faef56fa25120cb092f1b69838731.htm?dl=0
12 minutes
Case 2: APT “Epic Turla” Attack
The attackers behind Epic Turla have infected several hundreds computers in more than 45 countries, including:
• government institutions,
• embassies,
• military,
• education,
• research and pharmaceutical companies.
“Epic Turla” – is a massive cyber-espionage operation.
Type of “Epic Turla” Attacks
• Spearphishing e-mails with Adobe PDF exploits (CVE-2013-3346 + CVE-2013-5065)
• Social engineering to trick the user into running malware installers with ".SCR" extension, sometimes packed with RAR
• Watering hole attacks using Java exploits (CVE-2012-1723), Flash exploits (unknown) or Internet Explorer 6,7,8 exploits (unknown)
• Watering hole attacks that rely on social engineering to trick the user into running fake "Flash Player" malware installers.
Watering Hole example:
Infected Palestinian
Authority Ministry of
Foreign Affairs
The attacks in this campaign fall into several different categories depending on the vector used in the initial compromise:
Analysis in Sandbox
• Adobe PDF Exploits (Note_№107-41D.pdf CVE-2013-5065)Report: https://www.dropbox.com/s/6l25orn9nlgl6ea/report_6776bda19a3a8ed4c2870c34279dbaa9.htm
– Dropped file (Epic/Tavdig/Wipbot backdoor):
Report: https://www.dropbox.com/s/lqw3vvzeudyt4kq/report_111ed2f02d8af54d0b982d8c9dd4932e.htm
• Spearphishing files: – NATO position on Syria.scr
https://www.dropbox.com/s/6powxf2vo4y3fjp/4d667af648047f2bd24511ef8f36c9cc_report.htm
• Dropped Epic/Tavdig/Wipbot backdoor: https://www.dropbox.com/s/citfclr08eul04x/report_ab686acde338c67bec8ab42519714273.htm
• Turla Carbon packageReport: https://www.dropbox.com/s/rivavmk8w2d56io/report_cb1b68d9971c2353c2d6a8119c49b51f.htm
20 minutes
Similar Solutions on the Market
• Norman G2 Analyzer
• ThreatAnalyzer (former GFI Sandbox, CWSandbox )
• Cuckoo Sandbox
• VirusTotal online service
• FireEye MAS
• AlienVault Reputation Monitor
• Kaspersky Application Advisor (Beta)
SANDBOX REPORT
A Comparison of Sandbox Reports - 1
Data Type Cuckoo Sandbox
Norman G2 MalwareAnalyzer
GFI/ ThreatTrack Sandbox
VirusTotal ==SitC==
Summary/File Details
YES YES YES YES YES
Static Analysis
Dropped from no no no no YES
Downloaded by no no no no YES
Polymorphic no no no no YES
PE Sections no no no YES YES
VersionInfo no no no YES YES
A Comparison of Sandbox Reports - 2
Dynamic Analysis Cuckoo
Sandbox
Norman G2
MalwareAnaly
zer
GFI/
ThreatTrack
Sandbox
VirusTotal ==SitC==
Payload=Behavior class no no no no YES
Process activities YES YES YES YES YES
File Activities YES YES YES no YES
Registry activity YES YES YES no YES
Rootkit activity no no no no YES
Dropped PE Files YES no no no YES
HOSTS file anomalies no no no no YES
Propagation no no no no YES
Named Objects (Mutexes,
Events)
YES YES YES YES YES
A Comparison of Sandbox Reports - 3
Network
Activities
Cuckoo
Sandbox
Norman G2
MalwareAnaly
zer
GFI/
ThreatTrack
Sandbox
VirusTotal ==SitC==
URLs/DNS YES YES YES YES YES
IDS Verdicts no no no YES YES
Traffic no YES YES YES YES
Detections
Virus Total no YES YES YES YES
Internal Verdicts - YES YES YES YES
Yara YES no no YES YES
Threat Type no no YES no YES
Behavior class no no YES no YES
Danger level no YES YES no no
A Comparison of Sandbox Reports - 4Others Cuckoo
Sandbox
Norman G2
MalwareAnaly
zer
GFI/
ThreatTrack
Sandbox
VirusTotal ==SitC==
Screenshot YES YES YES no YES
Map no no no no YES
Strings from
dumps
no no no no YES
Removal
Instructions
no no no no YES
Architecture
Sandbox
Hypervisor Type
Ubuntu/Virtual
Box
IntelliVM - - VMWare
ESX/Workstation
Scalability no YES YES YES YES
Custom sandbox
instances
YES YES YES - YES
A Comparison of Sandbox Reports - 5User Interface Cuckoo
Sandbox
Norman G2
MalwareAnaly
zer
GFI/
ThreatTrack
Sandbox
VirusTotal ==SitC==
UI Type Console
(Python
scripts)
Web Web Web Web
Dashboard No YES YES No No
Queue Manager No YES YES No YES
Report Type HTML PDF PDF Web report HTML/ PDF/Blog
Sales Freeware Direct Direct Direct -
Total number of
“YES”10 15 17 12 30
More Report Examples
https://www.dropbox.com/s/kh7dm8rngokd2f6/7a500c46d62f6f39e4bb2716a323bc34_report.htm
https://www.dropbox.com/s/rz7vzueqyxy53hy/e046da1b39202825155947371254a4e6_report.htm
https://www.dropbox.com/s/cl5h1fi91dkbt0d/e76d42578057862b5823ac926304cc22_report.htm
VMRay AnalyzerSource: http://www.vmray.com/vmray-analyzer-features/
Covers all kind of behavior• All kind of low-level control flow (API function calls, system calls, interrupts, APCs, DPCs, ..)
• All kind of high-level semantics (filesystem, registry, network, user/group administration, ..)
• Monitors user- and kernel-mode code
• All process creation, code injection, and driver installation methods are tracked and detected
• Layer7 protocols (HTTP, FTP, IRC, SMTP, DNS, …) are identified and parsed
Comprehensive Data Collection• Enriched output with function prototype information, geoip lookup information, and process dependency
graphs
• Takes screenshots from running execution
• Monitors network traffic and stores PCAP files
• Detects and stores all files that are generated or modified by the malware
VMRay Analyzer
Process dependency graphs
LastLine
Source: http://advancedmalware.lastline.com/discovery-report-for-2/21/2015-to-2/27/2015
Lastline Malware Risk Assessment
Sandbox Intro
• Sandbox in-the-cloud (SitC) – is a new malware analysis system in the cloud for IS professionals and advanced users.
• It allows to get a comprehensive analysis report in 4-5 minutes.
Integration to ISP Infrastructure
SANDBOX FEATURES
Sandbox Features
• Get analysis report/verdict by hash/file.• Searching and tracking for analyzed malware
samples.• Custom Yara rules are supported.• Analysis time ~4 min.• Scalable architecture (no limits in number of
processing samples) under VMWare ESX.• Web interface• >5000 analyzed samples on 8 CPU cores (iCore7)
daily.
Yara Rules are Supported
• Add your own signature to detect files/memory dumps/traffic:
SANDBOX INTERFACE
Web Interface
• Search by MD5
• Manual upload sample via the web form (high priority)
• Stream analysis (low priority)
• Advanced search in Sandbox database by timeframe, verdicts, Yara rule, etc.
• Report (HTML, PDF) can be sent by email.
INCIDENT RESPONSE AND DATA FLOW
Incident Response with SitC
Detection
Investigation
Analysis
Remediation
Prevention
Unknown threats can be sent for analysis to SitC as files or metadata when entering a trust perimeter.
SitC can assign a severity level for a submitted threat, so the most critical ones will go to IRT immediately.
Malware analysis takes ~4 mins.
All malicious activities are presented in the SitC report, as well as removal recommendations. The removal script or tool can be generated in advance.
SitC report contains information about propagation which helps understanding an attack vector.
Operational Modes
1. On-Demand Analysis (High Priority)– The user submits an object (file/traffic) via Web page which will be analyzed and
kept on the storage.– The report will be generated and sent to a user’s email.– The user can choose type of a virtual machine (pre-defined) to be used for the
analysis when submitting an object.
2. Stream Analysis (Low Priority)– The input object (file/traffic) can be also copied to the sandbox incoming folder
and will be processed in automated way with low priority.– The user can get access to the analysis data saved on the storage to do extra
analysis.– The user can search for already analyzed object by MD5 hash via Web page to get
HTML report.
3. Sandbox Configuration– The user can insert new Yara rules via Web page to detect files/dumps/traffic.
Technical Requirements for SitC Deployment
• VMWare ESXi Server 5.1 (free use up to 32 GB RAM):
• 8 CPU cores
• 16 Gb RAM
• 4 Tb low speed HDD and 2 x SSD 120 GB
• Internet access (so malware can connect to remote servers and download updates)
• Incoming traffic (PE files, PCAP dumps) to the Sandbox
• Remote access via vSphere to setup and control Sandbox
• Sandbox server should be well isolated inside the local network to prevent unsolicited malware spreading.
DEMO
• Cloud Sandbox Video – 2:38
Conclusions
1) SitC can be potentially used for:• Analysis and detection of malicious or suspicious files.
• Analysis and detection of network traffic (PCAP).
• Triggering for custom Indicators-of-Compromise (IoCs) using Yara.
• Finding 0-day cyber attacks and APT (via traffic analysis).
• Discovering infected hosts by malicious traffic (connections to C&C servers).
2) SitC prototype has the most comprehensive malware analysis report in the industry and we want to test it in real life environment.