vmray malware analysis sandbox efficacy assessment · there are three main type of attacks where...
TRANSCRIPT
0
VMRAYMALWAREANALYSISSANDBOXEFFICACY
ASSESSMENT
1
ContentsAboutVMRay...........................................................................................................................................2AboutMRGEffitas....................................................................................................................................2AboutUkatemi.........................................................................................................................................2Introduction.............................................................................................................................................3Testdetails...............................................................................................................................................4
High-levelresults..........................................................................................................................................8Detailedresults............................................................................................................................................9
In-thewildtests........................................................................................................................................9Custommalwaretests............................................................................................................................10Anti-antiVM...........................................................................................................................................11Supportedfiletypesandanalysisenvironments...................................................................................14Usefulreports.........................................................................................................................................16Easyinteractionwiththesandboxduringtheanalysis..........................................................................18YARArulesimplemented........................................................................................................................18Strongresistanceagainstpackers..........................................................................................................18Hashbasedreputation,MetadefenderandVirusTotalintegration.......................................................19Maliciousscriptsaredetected...............................................................................................................19SolidbrowserexploitdetectionviaURLanalysis...................................................................................21
Conclusion..................................................................................................................................................22
2
AboutVMRayVMRayisaCyberSecuritycompanythatprovidesbothacloud-basedandon-premisesproduct,VMRayAnalyzer,fordetectingmalware-relatedthreatsusingdynamicprogramanalysis.
VMRayuseshypervisor-basedmonitoringbuiltontheacademicworkofthetwoco-founders.VMRayAnalyzerisprimarilyusedbyCERTsandSOCsinlargeenterprises,telecomsandtechnologyvendorsforanalyzingandidentifyingmalware,inparticulartargetedattacksrelatedtoAPTs.
AboutMRGEffitasMRGEffitasisaUKbased,independentITsecurityresearchorganisationthatfocusesonprovidingcutting-edgeefficacyassessmentandassuranceservices,thesupplyofmalwaresamplestovendorsandthelatestnewsconcerningnewthreatsandotherinformationinthefieldofITsecurity.
MRGEffitas’origindatesbackto2009whenSvetaMiladinov,anindependentsecurityresearcherandconsultant,formedtheMalwareResearchGroup.ChrisPickardjoinedinJune2009,bringingexpertiseinprocessandmethodologydesign,gainedinthebusinessprocessoutsourcingmarket.
TheMalwareResearchGrouprapidlygainedareputationastheleadingefficacyassessorinthebrowserandonlinebankingspaceand,duetoincreasingdemandforitsservices,wasrestructuredin2011whenitbecameMRGEffitas,withtheparentcompanyEffitas.
Today,MRGEffitashasateamofanalysts,researchersandassociatesacrossEMEA,UATPandChina,ensuringatrulyglobalpresence.
Sinceitsinception,MRGEffitashasfocusedonprovidingground-breakingtestingprocessesandrealisticallymodelingreal-worldenvironmentsinordertogeneratethemostaccurateefficacyassessmentspossible.
MRGEffitasisrecognizedbyseveralleadingsecurityvendorsastheleadingtestingandassessmentorganizationintheonlinebanking,browsersecurityandcloudsecurityspacesandhasbecometheirpartnerofchoice.
Ouranalystshavethefollowingtechnicalcertificates:
OffensiveSecurityCertifiedExpert(OSCE),OffensiveSecurityCertifiedProfessional(OSCP),MalwareAnalysis(DeloitteNL),CertifiedInformationSystemsSecurityProfessional(CISSP),SecurityTubeLinuxAssemblyExpert,SecurityTubePythonScriptingExpert,CertifiedPenetrationTestingSpecialist(CPTS),ComputerHackingForensicsInvestigator(CHFI),andMicrosoftCertifiedProfessional(MCP).
AboutUkatemiUkatemiTechnologiesisaspin-offfromtheCrySySLab,Budapest.ItwasfoundedinDecember2012bymembersofCrySySLabwiththemissiontoaddressproblemsoftargetedattacksincyberspace.Targetedattacksoftenuseadvancedmethods,aimtocompromisehighprofiletargets,arestealthyandpersistent,and,therefore,difficulttodetectandmitigate.Ukatemifocusesonprovidingtoitsclientscustomizedthreatintelligencereportsandincidenthandlingservices,includingmalwareanalysis.Ukatemiprovidespersonalizedservicesthatmaynotbeprocuredelsewhere.
3
IntroductionVMRaycommissionedMRGEffitastoconductanefficacyanalysisofitsVMRaymalwareanalysissandboxproduct.Thissandboxiscapableofdetectingtraditionalmalware,malwaresimulatingAPTattackers,documentscontainingexploits,exploitsonURLs,andothermaliciousactivities.
ThetermAdvancedPersistentThreat(APT)referstoapotentialattackerthathasthecapabilityandtheintenttocarryoutadvancedattacksagainstspecifichigh-profiletargetsinordertocompromisetheirsystemsandmaintainpermanentcontrolovertheminastealthymanner.APTattacksoftenrelyonnewmalware,whichisnotyetknowntoandrecognizedbytraditionalanti-virusproducts.APTattackerstypicallyusespearphishingorwateringholetechniquestodeliverthemalwaretovictimcomputerswhereitisinstalledbyenticingtheusertoopenthefilecontainingthemalwareorthelinkpointingtoit.Installationofthemalwaremayalsoinvolveexploitingsomeknownorpubliclyunknownvulnerabilityinthevictimsystem,orsocialengineering.Oncethemalwareisinstalled,itmayconnecttoaremoteCommand&Controlserver,fromwhichitcandownloadupdatesandadditionalmodulestoextenditsfunctionality.Inaddition,themalwaremayuserootkittechniquesinordertoremainhiddenandtoprovidepermanentremoteaccesstothevictimsystemfortheattackers.
Astraditionalanti-virusproductsseemtoberatherineffectiveindetectingnewmalware,andhence,mitigatingAPTattacks,arangeofnewsolutions,specificallydesignedtodetectAPTattacks,haveappearedonthemarketintherecentpast.Theseanti-APTtoolsopenthosefilesinasandboxenvironmentonvirtualmachinesundervariousconfigurationsettings,analyzethebehaviourproducedbythevirtualmachines,andtrytoidentifyanomaliesthatmayindicatethepresenceofamalwareoranexploitationattempt.
Thereisnodoubtthatthesenewtoolsareuseful.However,determiningtherealeffectivenessofthesetoolsischallenging,becausemeasuringtheirdetectionratewouldrequiretestingthemwithnew,previouslyunseenmalwaresampleswithcharacteristicssimilartothoseofadvancedmalwareusedbyAPTattackers.Developingsuchtestsamplesrequiresspecialexpertiseandexperienceobtainedeitherthroughthedevelopmentofadvancedtargetedmalwareoratleastthroughextensiveanalysisofknownsamples.
WeatMRGEffitasandUkatemidecidedtojoinforcesandperformatestofleadingAPTattackdetectiontoolsusingcustomdevelopedsamples.MRGEffitashasextensiveexperienceintestinganti-virusproducts,whileUkatemihasaverygoodunderstandingofAPTattacksgainedthroughtheanalysisofmanytargetedmalwarecampaigns(includingDuqu,Flame,MiniDukeandTeamSpy).Therefore,collaboratingandbringingtogetherourcomplementarysetsofexpertiselookedlikeapromisingidea.
4
TestdetailsThefollowingcomponentsandtestcaseswereusedduringthetest:
• Numberofin-the-wildexploits:10• Numberofin-the-wildmalware:60• Numberoffullcustommalware:2• Numberofdifferentcustomexploitobfuscation(Java,Flash):1• Numberofdifferentsandboxevasiontechniques:10• Publiclyknown,butcustomizablemalwaresamples:15• Numberofstandardoff-the-shelveexploitkit(e.g.Metasploit)testcases:10• Sampleswithcustomcrypters:1• Sampleswithknowncrypters:2• Numberofdifferentdeliverymethods(exploit,macro,javaself-signed,ActiveX,HTML5,etc):4• Totalnumberoftestcases:~95
ThetargetplatformwasWindows764-bit,withInternetExplorer11andrecentversionsofFirefox,Chrome,AdobeFlashPlayer,AdobeAcrobat,MicrosoftOffice,SilverlightandJavaRuntimeEnvironment.
WetestedbrowserexploitsthattargetInternetExplorerandFlashasthesearethemostprevalentattacksatpresent.BesidestheseexploitsweusedPDF,RTF,andDOCXtypeexploits.Non-prevalentfile-typeslikeAVIandCHMwereoutofscope.
AfterafirstroundoftestssomeissueswereidentifiedintheVMRayanalysisenvironment.MRGEffitasprovidedfeedbacktotheVMRayteamonsuggestedadjustmentstoaddresstheseissues.Thisreportcontainstheresultoftheretestaftersomeoftheseissueswereaddressed.
Ourtestsincludedthefollowingparametersandcustomdevelopedtools:
• Weusedencodedshellcodestoavoiddetection• WeusedPowerShell,VisualBasicScriptandBatch-basedattackstosimulateAPT
attackers• WedevelopedMicrosoftOfficefileswithdirectshellcodeexecution(noPEisdroppedto
thehard-disk)
5
• WeusedknownpackerslikeThemidaandVMProtectandalsodevelopedtwonewcustompackers(XOR,Compress+XOR)
• WeusedknownRATslikePoisonIvyandNJRat
6
• WetestedshellcodeexecutionembeddedintoPython,RubyscriptsorGobinaries• WedevelopedsampleswithMD5-basedhashcollisions• WeusedexploitstargetingFlash,Java,AdobeReader,MicrosoftOfficeandSilverlight• Weusedencodedpayloaddeliveryduringexploits• Weusedlateralmovementinatest,andasafirststep,weextractedhashesfromthe
machinewhichcanbeusedinpass-the-hashattacks• Wedevelopedcustomexploitencryptionmethodswhereapassivenetworklistener
devicecannotreplaytheexploit,becauseitlackstheencryptionkeys• Wedeveloped10newmalwareanalysissandboxdetectiontechniques
7
• WesignedsomemalwaresampleswithbothvalidandinvalidcertificatestosimulateAPTattackers
• Themajorityofthein-the-wildmalwareandexploitkittestsweredonelive• Weusedthefollowingexploit-kitsinourexploitkittests:Rig,Sundown,Metasploit
8
High-levelresultsAfterperformingthetests,weidentifiedthefollowingstrengthsoftheVMRaymalwareanalysissandbox:
• Thesandboxisverystrongathidingboththevirtualizationlevelfrommalwarerunninginthesandbox(anti-anti-vm)andanyspecificartefactsofthesandboxitself.
• Thenumberofsupportedanalysisenvironmentsandfiletypesareaboveindustryaverage.• Thereportsareusefulforbothbeginnersandadvancedusers.• Itiseasytointeractwiththeanalysisenvironmentduringanalysisincasemanualactionsare
neededtotriggerthemaliciousactivity.• Theanalysisenvironmentisconfigurablewithprescripts,whichprovidesoptionsforadvanced
userstofine-tunetheanalysisenvironment.• TheYARArulesareeffectivetodetectknownbutpackedmalwarebyinspectingthememory
whenthecodeisunpacked.• TheYARArulesareeffectivetodetectknownexploitslikeOfficefiles,PDF• Thesandboxwillanalyzemalwarethatispacked–packersarethebiggestenemiesoftraditional
antivirusengines.• Thesandboxhashash-basedreputationcheckingandMetadefenderintegration• Besidesexecutables,maliciousscriptswritteninPowerShellarealsodetected• ThesandboxhassolidexploitdetectionviaURLanalysis• TheRESTAPIinterfaceiswelldocumented
9
DetailedresultsIn-thewildtestsFollowingarethemalwareanalysissandboxresultsofthein-the-wildmalwaresamples.VTIscoresaretheresultsofthedynamicexecutionofthemalwareinsidethesandbox.
In-the-wild-malware TestResults
%ofsamplesdetectedasMalicious* 88%%ofsamplesdetectedasBlacklisted* 12%
TotalDetectionEfficacy 100%
*VMRaySeverityScoreChart
Blacklisted VMRay’sreputationenginerecognizesthesampleasaknownmaliciousfile
Malicious VMRay’sdynamicanalysisenginedeterminesthatthefileismaliciousbasedonspecificbehaviorpatterns
Suspicious VMRay’sdynamicanalysisenginedeterminesthatthefileissuspiciousbasedonspecificbehaviorpatterns
NotSuspicious VMRay’sdynamicanalysisenginedeterminesthatthefileisnotsuspiciousbasedonbehaviorpatterns
Whitelisted VMRay’sreputationenginerecognizesthesampleasaknownbenignfile
Figure1-FinaldetectionviaVTIandreputationforin-the-wildmalware
12%
88%
Finalin-the-wildsampledetection
blacklisted
malicious
10
CustommalwaretestsVMRayAnalyzerdetectedthemajorityofcustommalwaresamplesasmalicious,therebyhighlightingitsabilitytodetecthighlyevasiveandadvancedmalware.Insomecustommalwaretestscenarios,VMRay’sdynamicanalysisenginedeterminedthatthefilewassuspicious(butnotmalicious)basedonspecificbehaviorpatterns.ThereareseveralreasonswhyVMRay’sdynamicanalysisenginemayonlyclassifyafileassuspiciousandnotmalicious.Forexample,ifthecommandandcontrolserverisinactiveatthetimeoftheanalysis,thesamplemaybedeemedtobelessmaliciousthanitactuallyis.Similarly,iftheC&Cisavailable,butnomaliciousactionsarereceivedfromthecommandandcontrolserverduringtheanalysis,thesamplemayonlybeclassifiedassuspicious.PleasenotethatthisisageneralshortcomingofdynamicmalwareanalysisandisnotspecifictoVMRayAnalyzer.
11
Anti-antiVMFinding
Therearethreemaintypeofattackswhereattackerscandetectthemalwareanalysissandbox,andchangethemalwarebehaviourifananalysisenvironmentisdetected:
1.Detectionofvirtualizationsoftware(Virtualbox,VMWare,QEMU,KVM…)
2.Identifyadifferencebetweenthetargetcomputer(e.g.desktopcomputerwithuseractivity)andaplainanalysisenvironments.
3.Context–awareorenvironment-awaremalware,wherethemalwaresampleonlytriggersifspecificfactorsaremet,e.g.itstartsonagivendateonly,oritchecksthepresenceofaspecificenvironmentvariable,registrykey,etc.Itisevenpossibletoencryptthemalwarepayloadbasedonthevalueofthisvariable,sowithoutknowing(orguessing)thecorrectvalue,thepayloadcannotbedecrypted.
VMRayhasaseriesofblogpostsonsandboxevasiontechniqueshere:https://www.vmray.com/blog/sandbox-evasion-techniques-part-1/
Whenitcomestodetectionofvirtualizationsoftware,thede-factostandardisthePafishtool:https://github.com/a0rtega/pafish
VMRayisimplementedasamodifiedKVM/QEMU,sowecanonlyexpectVMdetectionsontheKVM/QEMUpart.ByrunningthePafishtool,wecanseethatthereisnotasingledetectionofthevirtualizationenvironment.Note:sometimes,PafishdetectsthatVMRaydoesnotsimulatemousemovement,butthisisabuginPafish(thewindowtocheckistooshort),andnotinVMRay.
12
13
Whenitcomestodetectingthedifferencebetweenthetargetcomputerandtheanalysisenvironment,thefollowingresearchisuseful:
https://github.com/MRGEffitas/Sandbox_tester
https://www.youtube.com/watch?v=-wN5XvrfuxY
Byrunningthetool,wecanbesurethattheVMRayenvironmentfakesthefollowinginordertobeundetectableformalwarewhichtargetsthedesktopenvironment:
• Thereareiconsandfilesonthedesktop• Therearestandardapplicationsinstalled• ThereareapplicationswithGUIrunninginthebackground• Therearenon-defaultbookmarksinInternetExplorer• Thereisaprinterattachedtothesystem• Allthehardwaredescriptorsmatchadesktopsystem• Thegettickcountandlastbootuptimeshowsthatthesystemisalreadyupandrunningfora
while• Thescreenresolutionmatchesadesktopresolution• Thesysteminteractswithmessageboxes(atrickcommonlyusedinRATsamples)• Thesleepdetectionofthescriptcan’tdetectthepresenceofsleephooking,butinreality,
sleepsarefast-forwarded.
14
• Non-defaultdesktopbackgroundisused
Todefeatcontext-awaremalware(almostexclusivelyusedinAPTattacks),onehastoknowwhatconfiguration/environmentisexpectedbythemalware.Whenthisisknown,eithertheprescriptsortheinteractionwiththeVMduringtheanalysiscanbeusedtotriggerthemaliciouspayloadbythemalware.Alternatively,whenrunon-prematacustomersite,VMRaycanusethecustomer’sowngoldimagesastargetmachinesforanalysis.
SupportedfiletypesandanalysisenvironmentsFinding
Thesupportedfiletypesandanalysisenvironments(withOS,programversionsandpatchlevels)makeitusefultoanalyseanyin-the-wildthreat.
15
16
UsefulreportsFinding
Thereportsgeneratedbythesystemareusefulforbothbeginnersandadvancedusers.
17
18
EasyinteractionwiththesandboxduringtheanalysisFinding
Itisnotuncommonthatthesamplewon’tstartwithoutanyspecificuseractivity.E.g.somesamplesuse
aninstaller,whereauserhastoclickthroughaseriesofwindowsbeforethemaliciouspayloadis
delivered.TheVMRaymalwareanalysissandboxenvironmenthasautomatedusersimulation,providing
themouseandkeyboardinputthemalwarewouldtypicallyexpect.Italsomakesiteasytomanually
interactwiththeenvironmentduringanalysis,byonlyusingthewebbrowserandHTML5technology.
Fortaskswhichcanbeautomated,prescriptscanbewrittenanduploadedtotheanalysisenvironment.
Thesescriptscanchangetheanalysisenvironmentforthespecifiedmalware.EXE,BatchFile,Windows
scriptinghostfileetc.canbeusedforaprescript.
YARArulesimplementedFinding
YARA“providesarule-basedapproachtocreatedescriptionsofmalwarefamiliesbasedontextualor
binarypatterns.”Itisagreattooltoclassifyknownmalware,andalsotoidentifynewsamplesfor
knownmalwarefamilies.YARAisespeciallyeffectivewhenthesampleispacked,buttheruleisusedon
theunpacked,in-memoryprocess.YARAcanalsobeusedtodetectdocumentfiles(Word,Excel,PDF)
containingexploits.
VMRayincorporatesYARArulestodetectthevariantsfromknownfamilies,andtodetectnewsamples
ofknownexploits.Theyareappliedtovariousanalysisartifacts(extractedfiles,processdumps,network
dumps,etc.).
StrongresistanceagainstpackersFinding
Traditionalendpointprotectioncanbebypassedbypackerswithrelativeease.Bypackingafile,the
behaviourofthemalwareiskept,butthestructureoftheoriginalmalwareislost,thusblacklistslike
signaturebaseddetectionscanbebypassedeasily.Malwareanalysissandboxesweredevelopedto
19
inspectthebehaviourofthesamples.Soanymalwareanalysissandboxshouldhavegoodresistance
againstpackers–andsodoesVMRay.Alotofpackersintegratedanti-sandboxsolutions,whichmakes
theanalysisinasandboxhard.Thisiswhyanti-anti-sandboxsolutionsimplementedintoVMRayare
important.
Hashbasedreputation,MetadefenderandVirusTotalintegrationFinding
Samplehashescanbesenttoexternalreputationengines,andifthesampleisalreadyknown,theresult
ofthereputationcheckcanbeincludedinthereport.
Incasethesampleisnotknowntothereputationenginebythehash,butisknowntooneormoreAV
engines,MetadefendercanbeintegratedintoVMRay,andthedetectioncanbeimprovedwiththe
knowledge-baseofthemultipleAVscannersrunninginMetadefender.Iftheconfidentialityofthefiles
arenotimportant,thefilescanbedirectlyuploadedtoVirusTotal.
MaliciousscriptsaredetectedFinding
SomemalwareanalysissandboxesfocusmostlyonEXEfiles.Butattackersuseavarietyoffilesand
techniques.OneofthemostrecenttargetedattacksemployedPowerShell.VMRaycandetect
obfuscatedormaliciousPowerShellattacks–andnotjustbycheckingthebehaviourofthemalware
processes,butbycheckingforknowntechniquesusedinPowerShellattacks–e.g.useofencoded
PowerShellattacks.
20
21
SolidbrowserexploitdetectionviaURLanalysisFinding
TheURLanalysismodulewasabletodetectin-the-wildexploitkitslikeRIGorSundownonliveURLs.
TheexploitkitstargetedvulnerabilitiesinInternetExplorerandinFlash.
22
ConclusionWefoundtheVMRaymalwareanalysissandboxtobeanexcellenttooltodetectmalicioussoftware,
documentscontainingexploitsormaliciousURLs.Thedevelopersofthesystemclearlyunderstandthe
threatlandscape,anddevelopedthesystemaccordingly.Itishighlyrecommendedfordigitalforensics
andincidentresponse(DFIR)professionalsandaspartofasuiteoftoolsforCERTs.