Downloaded 21 times
![Contact
Jason Trost
• @jason_trost
• jason [dot] trost [AT] threatstream [dot] com
• https://github.com/jt6211
Aaron Shelmire
•@Ashelmire
•aaron[dot] shelmire [AT] threatstream [dot] com](https://image.slidesharecdn.com/bsidesnyc-anadversarialviewofmalwaresandboxes-v5-160117094851/75/BSidesNYC-2016-An-Adversarial-View-of-SaaS-Malware-Sandboxes-34-2048.jpg)
Uploaded byJason Trost
BSidesNYC 2016 - An Adversarial View of SaaS Malware Sandboxes
The document details an experiment conducted by Jason Trost and Aaron Shelmire that explores the vulnerabilities of Software as a Service (SaaS) sandboxes in detecting malware. It discusses the methods used to test various sandboxes and domain reputation engines, revealing that many sandboxes have easily identifiable characteristics, which can tip off malware. Ultimately, the findings raise concerns about the reliability of current anti-virus systems and the sharing of threat intelligence.
More Related Content
Similar to BSidesNYC 2016 - An Adversarial View of SaaS Malware Sandboxes
BSidesNYC 2016 - An Adversarial View of SaaS Malware Sandboxes
- 1. An Adversarial Viewof SaaS Sandboxes Jason Trost Aaron Shelmire Jan 16th 2016
- 2. Whois Jason Jason Trost •VPof Threat Research @ ThreatStream •Previously at Sandia, DoD, Booz Allen, Endgame Inc. •Background in Big Data Analytics, Security Research, Honeypots, and Machine Learning
- 3. Whois Aaron Aaron Shelmire •SeniorThreat Researcher @ ThreatStream •Previously at CERT, Secure Works CTU-SO, CMU •Background in Incident Response, Forensics, Security Research
- 4. • Advanced MalwareDetects Sandboxes! • Does it? • Threat Intelligence Feeds • AV is Dead! • You’re going to tip off the adversary!!! • Everyone’s going to know I’m compromised Motivation
- 5. Experiment • Created Sensorswith unique CampaignIDs • Encoded execution time and CampaignIDs in domain names • Tornado HTTP app and Bind DNS servers • Submitted unique samples to 29 free online Sandboxes • Submitted unique domains to ~50 domain/URL Reputation engines • Watched traffic roll in
- 6. Sandboxes Tested Avira ComodoInstant Malware Analysis Comodo Valkyrie F-Secure Online Analysis Joe Sandbox – Private File-analyzer.net Malwr.com NSI Payload Security ThreatExpert TotalHash ViCheck Cloud.vmray.com Ether.gtisc.gatech.edu Threat track Anubic.iseclab.com Metascan-online Eureka-cyber-ta.org Microsoft portal Online.drweb.com uploadMalware VirusTotal Virusscan.jotti.org wepawet Virscan ViCheck ThreatStream’s internal sandbox
- 7. Domain/URL Reputation EnginesTested app.webinspector.com malwaredomainlist.com senderscore.org trustedsource.org avgthreatlabs.com mxtoolbox.com/blacklists.aspx siteadvisor.com/sites unmaskparasites.com Bluecoat Web Pulse Passive Total sitecheck.sucuri.net URLVoid brightcloud.com Phishtank.com spam404.com urlblacklist.com Domain tools query Quttera spamhaus URLQuery dshield.org quttera.com Sucuri Sitecheck Virus Total URL query Fortiguard iprep reclassify.wrs.trendmicro.com SURBL VirusTotal URL domain/IP search Google Safe Browsing reputationauthority.org Threat Log vurl.mysteryfcm.co.uk Hosts-file.net safeweb.norton.com ThreatStream Web of Trust isithacked.com Scumware.org TotalHash wepawet.iseclab.org isitphishing.org senderbase.org trafficlight.bitdefender.com zulu.zscaler.com
- 8. Our Sensor –v1 Enumerate Host Sockets Based Comms Create Run Key Delete Run Key Exit Process NO REMOTE ACCESS CAPABILITY
- 9.
- 10. Sensor C2 –HTTP POST Exfil HTTP POST zlib compression base64 encoded Worked pretty well, but…
- 11. Sensor – v2DNS Covert Channel C2 Some Sandboxes block TCP conns Most allow DNS unmodified zlib compression hex encode split data into chunks multiple DNS A requests
- 12.
- 13. Sandbox detection featuresver. 1 • System Services Lists • Processes – VBoxService(1), vmtools (8) • MAC address • VMware, Inc. (55), Cadmus Computer Systems (40), ASUSTek COMPUTER INC. (23) • Bios • VMware (50), Bochs(34), ASUS(23), Google(8), Qemu(8) • Disk Size • 19.99GB (52), 25GB (37), 120GB (28), 50GB (20), 39GB (20) • RAM • 1GB (92), 1.5GB (18), 512MB (10) • Was the EXE renamed? • sample.exe, malware.exe, ${md5}.exe
- 14. Really Detecting VirtualMachines • System Services Lists • Processes – VBoxService(1), vmtools (8) • MAC address • VMware, Inc. (55), Cadmus Computer Systems (40), ASUSTek COMPUTER INC. (23) • Bios • VMware (50), Bochs(34), ASUS(23), Google(8), Qemu(8) • Disk Size • 19.99GB (52), 25GB (37), 120GB (28), 50GB (20), 39GB (20) • RAM • 1GB (92), 1.5GB (18), 512MB (10) • Was the EXE renamed? • sample.exe, malware.exe, ${md5}.exe
- 15. Sandbox Detection Techniques– Not Implemented • User Engagement • Dialog box, Double Click. Doc Scroll • Slow Mouse, Fast Sandbox • Execution after reboot • Pretty sure these would work • Require User engagement / Suspicion
- 16. Sandbox detection featuresver. 3 • Wanted to try some new checks… • Uptime – Malware checks for over 12 minutes? • Is Sleep patched? • Is the Security Information Descriptor valid ? • Really checking if AV is emulating the process • What Group is the user in?
- 17. Sandbox detection featuresver. 3 Uptime Is Sleep Patched? ValidSid Group ~60 minutes No Yes Administrators ~5 minutes No Yes Administrators ~2 minutes No Yes Administrators ~20 minutes No Yes Administrators 38 hosts w/ HTTP check in, only 4 valid check ins
- 18. Sandbox Detection Techniques-- Way too Advanced!!!! • Many companies, but only a few virtual machines used! • Same usernames • Same hostnames • Same disk size • Same CPU count •And then…
- 19. …just check theprocess name • artifact.exe • wbOxyeRLl6z7Jiq.exe • sampel.exe • 905DFEBA7A75DE9C6BF261CD5A076A5C5CB5FC1F.exe • samp1e_9ac36e185072270b0745ea0d68085dd9.exe GetModuleFileNameEx(hProcess, 0, lpBuff, MAX_PATH); if (lpBuff != lpszMyName) ExitProcess();
- 20. So we hadsome other questions… • AV? • Tipping off the adversary? • Threat Intel Feeds?
- 21. AV is Dead! •Is it?
- 22. What did AVthink of our sensor? • At first…
- 23. Eventually… • VirusTotal: 6Samples • Detection ranges from 8/57 to 30/57 • A lot of Trojan Zusy and Trojan Graftor • More malicious as time went on
- 24. 3rd gen sensor… •Removed Sandbox accuracy checks • Run key that was added, then removed • Touch and Delete a file • Large amount of host profiling • Much more reasonable scoring • Accuracy is worse than before!
- 25. Sharing? • Yup, Lots •Samples shared • Evidence of new executions seen from different origins • Domain names shared (or scraped) • Previous execution’s domains resolved later by other orgs, different nameservers • Some domains appear on threat intel lists • Many orgs are trivially identified as security companies • Every major AV company is represented in our DNS logs • Several Security Product Companies
- 26. 2nd Submission DNS Sensor 1stSubmission Monday Morning 3rd Submission Sleep Check Tipping off the Adversary
- 27. Check In Activity 27 TrendMicro + Home Hosts Monday Morning – Everyone checks in Amazon + Google DNS Sensor
- 28.
- 29. Sharing? – thensomething happened • Sharing based upon VT detections + new_file? • Takes ~4 days for files to reach VT from most sandbox sources. 1st Gen 3rd Gen HTTP unique IPs ~400 38 HTTP unique IP for source ~130 38 Valid HTTP Post 4 4 VT detections ~8/57 + 1/57
- 30. Sharing: Threat IntelligenceFeeds? Campaign First DNS First HTTP Threatfeed UM 2015-08-29 22:47 2015-08-29 23:41 2015-08-30 06:33 AV 2015-08-30 17:08 2015-08-30 19:45 2015-08-30 18:43 A9 2015-09-03 20:33 2015-09-03 20:33 2015-10-24 08:55 A12 2015-09-03 20:45 2015-09-03 20:46 2015-10-27 18:47 AN 2015-09-08 07:10 2015-09-08 10:23 2015-09-08 17:55 C21 2015-10-22 00:28 - 2015-10-22 00:29 PS-Y 2016-01-11 23:21 2016-01-11 23:15 2016-01-13 04:14
- 31. Sharing: URL ReputationServices • Crafted unique campaign IDs and timestamp domains • Made queries for unique domains to ~50 reputation engines • Three sites resulted in daily DNS lookups spanning > 5 days • Two resulted in daily DNS lookups spanning nearly 2 months • Most major AV/security companies networks represented • YOUR QUERIES ARE SHARED (implicitly?/explicitly?) • When you query these sites, you lose control of the domain/URL
- 32. Threat Intel vsthe Sandbox IPs? • Of all the Sandbox IPs that made valid POST requests to our server 15 were also identified in some threat intelligence feeds as malicious • 6 were TOR IPs • 1 was an Anonymous proxy • All others were characterized: • Bot IPs • Spammer IPs • Brute Force IPs • Scanning IPs • Compromised IPs (Hawkeye Keylogger, Dyre) • Interesting, but not surprising
- 33. Lessons • Most peopleuse the same Sandbox Images • Most sandboxes don’t change the environment settings across executions • AV thinks your file is malicious • You will tip off the adversary • Everyone will hit their network touch points … forever … • Reputation services can result in noisy traffic to the NS • Malware sandboxes can be fingerprinted with very simple techniques • You get what you pay for
- 34. Contact Jason Trost • @jason_trost •jason [dot] trost [AT] threatstream [dot] com • https://github.com/jt6211 Aaron Shelmire •@Ashelmire •aaron[dot] shelmire [AT] threatstream [dot] com
Editor's Notes
- #26 select timestamp::DATE, campaign_id, org, COUNT(1) from network_activity where host ILIKE '%.x.vpnlogin-it-helpdesk.com' group by 1,2,3 order by 3,1, 2;
- #30 select timestamp::DATE, campaign_id, org, COUNT(1) from network_activity where host ILIKE '%.x.vpnlogin-it-helpdesk.com' group by 1,2,3 order by 3,1, 2;
- #31 Several binaries that were initially sandboxed later resulted in more sandbox executions and those resulted in the domains making their way onto a commercial threat feed NOTE: this sensor has 0 to 1 AV detections and still made its way onto these feeds.