VMRAY MALWARE ANALYSIS SANDBOX EFFICACY ASSESSMENT · There are three main type of attacks where attackers can detect the malware analysis sandbox, and change the malware behaviour

0

VMRAYMALWAREANALYSISSANDBOXEFFICACY

ASSESSMENT

1

ContentsAboutVMRay...........................................................................................................................................2AboutMRGEffitas....................................................................................................................................2AboutUkatemi.........................................................................................................................................2Introduction.............................................................................................................................................3Testdetails...............................................................................................................................................4

High-levelresults..........................................................................................................................................8Detailedresults............................................................................................................................................9

In-thewildtests........................................................................................................................................9Custommalwaretests............................................................................................................................10Anti-antiVM...........................................................................................................................................11Supportedfiletypesandanalysisenvironments...................................................................................14Usefulreports.........................................................................................................................................16Easyinteractionwiththesandboxduringtheanalysis..........................................................................18YARArulesimplemented........................................................................................................................18Strongresistanceagainstpackers..........................................................................................................18Hashbasedreputation,MetadefenderandVirusTotalintegration.......................................................19Maliciousscriptsaredetected...............................................................................................................19SolidbrowserexploitdetectionviaURLanalysis...................................................................................21

Conclusion..................................................................................................................................................22

2

AboutVMRayVMRayisaCyberSecuritycompanythatprovidesbothacloud-basedandon-premisesproduct,VMRayAnalyzer,fordetectingmalware-relatedthreatsusingdynamicprogramanalysis.

VMRayuseshypervisor-basedmonitoringbuiltontheacademicworkofthetwoco-founders.VMRayAnalyzerisprimarilyusedbyCERTsandSOCsinlargeenterprises,telecomsandtechnologyvendorsforanalyzingandidentifyingmalware,inparticulartargetedattacksrelatedtoAPTs.

AboutMRGEffitasMRGEffitasisaUKbased,independentITsecurityresearchorganisationthatfocusesonprovidingcutting-edgeefficacyassessmentandassuranceservices,thesupplyofmalwaresamplestovendorsandthelatestnewsconcerningnewthreatsandotherinformationinthefieldofITsecurity.

MRGEffitas’origindatesbackto2009whenSvetaMiladinov,anindependentsecurityresearcherandconsultant,formedtheMalwareResearchGroup.ChrisPickardjoinedinJune2009,bringingexpertiseinprocessandmethodologydesign,gainedinthebusinessprocessoutsourcingmarket.

TheMalwareResearchGrouprapidlygainedareputationastheleadingefficacyassessorinthebrowserandonlinebankingspaceand,duetoincreasingdemandforitsservices,wasrestructuredin2011whenitbecameMRGEffitas,withtheparentcompanyEffitas.

Today,MRGEffitashasateamofanalysts,researchersandassociatesacrossEMEA,UATPandChina,ensuringatrulyglobalpresence.

Sinceitsinception,MRGEffitashasfocusedonprovidingground-breakingtestingprocessesandrealisticallymodelingreal-worldenvironmentsinordertogeneratethemostaccurateefficacyassessmentspossible.

MRGEffitasisrecognizedbyseveralleadingsecurityvendorsastheleadingtestingandassessmentorganizationintheonlinebanking,browsersecurityandcloudsecurityspacesandhasbecometheirpartnerofchoice.

Ouranalystshavethefollowingtechnicalcertificates:

OffensiveSecurityCertifiedExpert(OSCE),OffensiveSecurityCertifiedProfessional(OSCP),MalwareAnalysis(DeloitteNL),CertifiedInformationSystemsSecurityProfessional(CISSP),SecurityTubeLinuxAssemblyExpert,SecurityTubePythonScriptingExpert,CertifiedPenetrationTestingSpecialist(CPTS),ComputerHackingForensicsInvestigator(CHFI),andMicrosoftCertifiedProfessional(MCP).

AboutUkatemiUkatemiTechnologiesisaspin-offfromtheCrySySLab,Budapest.ItwasfoundedinDecember2012bymembersofCrySySLabwiththemissiontoaddressproblemsoftargetedattacksincyberspace.Targetedattacksoftenuseadvancedmethods,aimtocompromisehighprofiletargets,arestealthyandpersistent,and,therefore,difficulttodetectandmitigate.Ukatemifocusesonprovidingtoitsclientscustomizedthreatintelligencereportsandincidenthandlingservices,includingmalwareanalysis.Ukatemiprovidespersonalizedservicesthatmaynotbeprocuredelsewhere.

3

IntroductionVMRaycommissionedMRGEffitastoconductanefficacyanalysisofitsVMRaymalwareanalysissandboxproduct.Thissandboxiscapableofdetectingtraditionalmalware,malwaresimulatingAPTattackers,documentscontainingexploits,exploitsonURLs,andothermaliciousactivities.

ThetermAdvancedPersistentThreat(APT)referstoapotentialattackerthathasthecapabilityandtheintenttocarryoutadvancedattacksagainstspecifichigh-profiletargetsinordertocompromisetheirsystemsandmaintainpermanentcontrolovertheminastealthymanner.APTattacksoftenrelyonnewmalware,whichisnotyetknowntoandrecognizedbytraditionalanti-virusproducts.APTattackerstypicallyusespearphishingorwateringholetechniquestodeliverthemalwaretovictimcomputerswhereitisinstalledbyenticingtheusertoopenthefilecontainingthemalwareorthelinkpointingtoit.Installationofthemalwaremayalsoinvolveexploitingsomeknownorpubliclyunknownvulnerabilityinthevictimsystem,orsocialengineering.Oncethemalwareisinstalled,itmayconnecttoaremoteCommand&Controlserver,fromwhichitcandownloadupdatesandadditionalmodulestoextenditsfunctionality.Inaddition,themalwaremayuserootkittechniquesinordertoremainhiddenandtoprovidepermanentremoteaccesstothevictimsystemfortheattackers.

Astraditionalanti-virusproductsseemtoberatherineffectiveindetectingnewmalware,andhence,mitigatingAPTattacks,arangeofnewsolutions,specificallydesignedtodetectAPTattacks,haveappearedonthemarketintherecentpast.Theseanti-APTtoolsopenthosefilesinasandboxenvironmentonvirtualmachinesundervariousconfigurationsettings,analyzethebehaviourproducedbythevirtualmachines,andtrytoidentifyanomaliesthatmayindicatethepresenceofamalwareoranexploitationattempt.

Thereisnodoubtthatthesenewtoolsareuseful.However,determiningtherealeffectivenessofthesetoolsischallenging,becausemeasuringtheirdetectionratewouldrequiretestingthemwithnew,previouslyunseenmalwaresampleswithcharacteristicssimilartothoseofadvancedmalwareusedbyAPTattackers.Developingsuchtestsamplesrequiresspecialexpertiseandexperienceobtainedeitherthroughthedevelopmentofadvancedtargetedmalwareoratleastthroughextensiveanalysisofknownsamples.

WeatMRGEffitasandUkatemidecidedtojoinforcesandperformatestofleadingAPTattackdetectiontoolsusingcustomdevelopedsamples.MRGEffitashasextensiveexperienceintestinganti-virusproducts,whileUkatemihasaverygoodunderstandingofAPTattacksgainedthroughtheanalysisofmanytargetedmalwarecampaigns(includingDuqu,Flame,MiniDukeandTeamSpy).Therefore,collaboratingandbringingtogetherourcomplementarysetsofexpertiselookedlikeapromisingidea.

4

TestdetailsThefollowingcomponentsandtestcaseswereusedduringthetest:

• Numberofin-the-wildexploits:10• Numberofin-the-wildmalware:60• Numberoffullcustommalware:2• Numberofdifferentcustomexploitobfuscation(Java,Flash):1• Numberofdifferentsandboxevasiontechniques:10• Publiclyknown,butcustomizablemalwaresamples:15• Numberofstandardoff-the-shelveexploitkit(e.g.Metasploit)testcases:10• Sampleswithcustomcrypters:1• Sampleswithknowncrypters:2• Numberofdifferentdeliverymethods(exploit,macro,javaself-signed,ActiveX,HTML5,etc):4• Totalnumberoftestcases:~95

ThetargetplatformwasWindows764-bit,withInternetExplorer11andrecentversionsofFirefox,Chrome,AdobeFlashPlayer,AdobeAcrobat,MicrosoftOffice,SilverlightandJavaRuntimeEnvironment.

WetestedbrowserexploitsthattargetInternetExplorerandFlashasthesearethemostprevalentattacksatpresent.BesidestheseexploitsweusedPDF,RTF,andDOCXtypeexploits.Non-prevalentfile-typeslikeAVIandCHMwereoutofscope.

AfterafirstroundoftestssomeissueswereidentifiedintheVMRayanalysisenvironment.MRGEffitasprovidedfeedbacktotheVMRayteamonsuggestedadjustmentstoaddresstheseissues.Thisreportcontainstheresultoftheretestaftersomeoftheseissueswereaddressed.

Ourtestsincludedthefollowingparametersandcustomdevelopedtools:

• Weusedencodedshellcodestoavoiddetection• WeusedPowerShell,VisualBasicScriptandBatch-basedattackstosimulateAPT

attackers• WedevelopedMicrosoftOfficefileswithdirectshellcodeexecution(noPEisdroppedto

thehard-disk)

5

• WeusedknownpackerslikeThemidaandVMProtectandalsodevelopedtwonewcustompackers(XOR,Compress+XOR)

• WeusedknownRATslikePoisonIvyandNJRat

6

• WetestedshellcodeexecutionembeddedintoPython,RubyscriptsorGobinaries• WedevelopedsampleswithMD5-basedhashcollisions• WeusedexploitstargetingFlash,Java,AdobeReader,MicrosoftOfficeandSilverlight• Weusedencodedpayloaddeliveryduringexploits• Weusedlateralmovementinatest,andasafirststep,weextractedhashesfromthe

machinewhichcanbeusedinpass-the-hashattacks• Wedevelopedcustomexploitencryptionmethodswhereapassivenetworklistener

devicecannotreplaytheexploit,becauseitlackstheencryptionkeys• Wedeveloped10newmalwareanalysissandboxdetectiontechniques

7

• WesignedsomemalwaresampleswithbothvalidandinvalidcertificatestosimulateAPTattackers

• Themajorityofthein-the-wildmalwareandexploitkittestsweredonelive• Weusedthefollowingexploit-kitsinourexploitkittests:Rig,Sundown,Metasploit

8

High-levelresultsAfterperformingthetests,weidentifiedthefollowingstrengthsoftheVMRaymalwareanalysissandbox:

• Thesandboxisverystrongathidingboththevirtualizationlevelfrommalwarerunninginthesandbox(anti-anti-vm)andanyspecificartefactsofthesandboxitself.

• Thenumberofsupportedanalysisenvironmentsandfiletypesareaboveindustryaverage.• Thereportsareusefulforbothbeginnersandadvancedusers.• Itiseasytointeractwiththeanalysisenvironmentduringanalysisincasemanualactionsare

neededtotriggerthemaliciousactivity.• Theanalysisenvironmentisconfigurablewithprescripts,whichprovidesoptionsforadvanced

userstofine-tunetheanalysisenvironment.• TheYARArulesareeffectivetodetectknownbutpackedmalwarebyinspectingthememory

whenthecodeisunpacked.• TheYARArulesareeffectivetodetectknownexploitslikeOfficefiles,PDF• Thesandboxwillanalyzemalwarethatispacked–packersarethebiggestenemiesoftraditional

antivirusengines.• Thesandboxhashash-basedreputationcheckingandMetadefenderintegration• Besidesexecutables,maliciousscriptswritteninPowerShellarealsodetected• ThesandboxhassolidexploitdetectionviaURLanalysis• TheRESTAPIinterfaceiswelldocumented

9

DetailedresultsIn-thewildtestsFollowingarethemalwareanalysissandboxresultsofthein-the-wildmalwaresamples.VTIscoresaretheresultsofthedynamicexecutionofthemalwareinsidethesandbox.

In-the-wild-malware TestResults

%ofsamplesdetectedasMalicious* 88%%ofsamplesdetectedasBlacklisted* 12%

TotalDetectionEfficacy 100%

*VMRaySeverityScoreChart

Blacklisted VMRay’sreputationenginerecognizesthesampleasaknownmaliciousfile

Malicious VMRay’sdynamicanalysisenginedeterminesthatthefileismaliciousbasedonspecificbehaviorpatterns

Suspicious VMRay’sdynamicanalysisenginedeterminesthatthefileissuspiciousbasedonspecificbehaviorpatterns

NotSuspicious VMRay’sdynamicanalysisenginedeterminesthatthefileisnotsuspiciousbasedonbehaviorpatterns

Whitelisted VMRay’sreputationenginerecognizesthesampleasaknownbenignfile

Figure1-FinaldetectionviaVTIandreputationforin-the-wildmalware

12%

88%

Finalin-the-wildsampledetection

blacklisted

malicious

10

CustommalwaretestsVMRayAnalyzerdetectedthemajorityofcustommalwaresamplesasmalicious,therebyhighlightingitsabilitytodetecthighlyevasiveandadvancedmalware.Insomecustommalwaretestscenarios,VMRay’sdynamicanalysisenginedeterminedthatthefilewassuspicious(butnotmalicious)basedonspecificbehaviorpatterns.ThereareseveralreasonswhyVMRay’sdynamicanalysisenginemayonlyclassifyafileassuspiciousandnotmalicious.Forexample,ifthecommandandcontrolserverisinactiveatthetimeoftheanalysis,thesamplemaybedeemedtobelessmaliciousthanitactuallyis.Similarly,iftheC&Cisavailable,butnomaliciousactionsarereceivedfromthecommandandcontrolserverduringtheanalysis,thesamplemayonlybeclassifiedassuspicious.PleasenotethatthisisageneralshortcomingofdynamicmalwareanalysisandisnotspecifictoVMRayAnalyzer.

11

Anti-antiVMFinding

Therearethreemaintypeofattackswhereattackerscandetectthemalwareanalysissandbox,andchangethemalwarebehaviourifananalysisenvironmentisdetected:

1.Detectionofvirtualizationsoftware(Virtualbox,VMWare,QEMU,KVM…)

2.Identifyadifferencebetweenthetargetcomputer(e.g.desktopcomputerwithuseractivity)andaplainanalysisenvironments.

3.Context–awareorenvironment-awaremalware,wherethemalwaresampleonlytriggersifspecificfactorsaremet,e.g.itstartsonagivendateonly,oritchecksthepresenceofaspecificenvironmentvariable,registrykey,etc.Itisevenpossibletoencryptthemalwarepayloadbasedonthevalueofthisvariable,sowithoutknowing(orguessing)thecorrectvalue,thepayloadcannotbedecrypted.

VMRayhasaseriesofblogpostsonsandboxevasiontechniqueshere:https://www.vmray.com/blog/sandbox-evasion-techniques-part-1/

Whenitcomestodetectionofvirtualizationsoftware,thede-factostandardisthePafishtool:https://github.com/a0rtega/pafish

VMRayisimplementedasamodifiedKVM/QEMU,sowecanonlyexpectVMdetectionsontheKVM/QEMUpart.ByrunningthePafishtool,wecanseethatthereisnotasingledetectionofthevirtualizationenvironment.Note:sometimes,PafishdetectsthatVMRaydoesnotsimulatemousemovement,butthisisabuginPafish(thewindowtocheckistooshort),andnotinVMRay.

12

13

Whenitcomestodetectingthedifferencebetweenthetargetcomputerandtheanalysisenvironment,thefollowingresearchisuseful:

https://github.com/MRGEffitas/Sandbox_tester

https://www.youtube.com/watch?v=-wN5XvrfuxY

Byrunningthetool,wecanbesurethattheVMRayenvironmentfakesthefollowinginordertobeundetectableformalwarewhichtargetsthedesktopenvironment:

• Thereareiconsandfilesonthedesktop• Therearestandardapplicationsinstalled• ThereareapplicationswithGUIrunninginthebackground• Therearenon-defaultbookmarksinInternetExplorer• Thereisaprinterattachedtothesystem• Allthehardwaredescriptorsmatchadesktopsystem• Thegettickcountandlastbootuptimeshowsthatthesystemisalreadyupandrunningfora

while• Thescreenresolutionmatchesadesktopresolution• Thesysteminteractswithmessageboxes(atrickcommonlyusedinRATsamples)• Thesleepdetectionofthescriptcan’tdetectthepresenceofsleephooking,butinreality,

sleepsarefast-forwarded.

14

• Non-defaultdesktopbackgroundisused

Todefeatcontext-awaremalware(almostexclusivelyusedinAPTattacks),onehastoknowwhatconfiguration/environmentisexpectedbythemalware.Whenthisisknown,eithertheprescriptsortheinteractionwiththeVMduringtheanalysiscanbeusedtotriggerthemaliciouspayloadbythemalware.Alternatively,whenrunon-prematacustomersite,VMRaycanusethecustomer’sowngoldimagesastargetmachinesforanalysis.

SupportedfiletypesandanalysisenvironmentsFinding

Thesupportedfiletypesandanalysisenvironments(withOS,programversionsandpatchlevels)makeitusefultoanalyseanyin-the-wildthreat.

15

16

UsefulreportsFinding

Thereportsgeneratedbythesystemareusefulforbothbeginnersandadvancedusers.

17

18

EasyinteractionwiththesandboxduringtheanalysisFinding

Itisnotuncommonthatthesamplewon’tstartwithoutanyspecificuseractivity.E.g.somesamplesuse

aninstaller,whereauserhastoclickthroughaseriesofwindowsbeforethemaliciouspayloadis

delivered.TheVMRaymalwareanalysissandboxenvironmenthasautomatedusersimulation,providing

themouseandkeyboardinputthemalwarewouldtypicallyexpect.Italsomakesiteasytomanually

interactwiththeenvironmentduringanalysis,byonlyusingthewebbrowserandHTML5technology.

Fortaskswhichcanbeautomated,prescriptscanbewrittenanduploadedtotheanalysisenvironment.

Thesescriptscanchangetheanalysisenvironmentforthespecifiedmalware.EXE,BatchFile,Windows

scriptinghostfileetc.canbeusedforaprescript.

YARArulesimplementedFinding

YARA“providesarule-basedapproachtocreatedescriptionsofmalwarefamiliesbasedontextualor

binarypatterns.”Itisagreattooltoclassifyknownmalware,andalsotoidentifynewsamplesfor

knownmalwarefamilies.YARAisespeciallyeffectivewhenthesampleispacked,buttheruleisusedon

theunpacked,in-memoryprocess.YARAcanalsobeusedtodetectdocumentfiles(Word,Excel,PDF)

containingexploits.

VMRayincorporatesYARArulestodetectthevariantsfromknownfamilies,andtodetectnewsamples

ofknownexploits.Theyareappliedtovariousanalysisartifacts(extractedfiles,processdumps,network

dumps,etc.).

StrongresistanceagainstpackersFinding

Traditionalendpointprotectioncanbebypassedbypackerswithrelativeease.Bypackingafile,the

behaviourofthemalwareiskept,butthestructureoftheoriginalmalwareislost,thusblacklistslike

signaturebaseddetectionscanbebypassedeasily.Malwareanalysissandboxesweredevelopedto

19

inspectthebehaviourofthesamples.Soanymalwareanalysissandboxshouldhavegoodresistance

againstpackers–andsodoesVMRay.Alotofpackersintegratedanti-sandboxsolutions,whichmakes

theanalysisinasandboxhard.Thisiswhyanti-anti-sandboxsolutionsimplementedintoVMRayare

important.

Hashbasedreputation,MetadefenderandVirusTotalintegrationFinding

Samplehashescanbesenttoexternalreputationengines,andifthesampleisalreadyknown,theresult

ofthereputationcheckcanbeincludedinthereport.

Incasethesampleisnotknowntothereputationenginebythehash,butisknowntooneormoreAV

engines,MetadefendercanbeintegratedintoVMRay,andthedetectioncanbeimprovedwiththe

knowledge-baseofthemultipleAVscannersrunninginMetadefender.Iftheconfidentialityofthefiles

arenotimportant,thefilescanbedirectlyuploadedtoVirusTotal.

MaliciousscriptsaredetectedFinding

SomemalwareanalysissandboxesfocusmostlyonEXEfiles.Butattackersuseavarietyoffilesand

techniques.OneofthemostrecenttargetedattacksemployedPowerShell.VMRaycandetect

obfuscatedormaliciousPowerShellattacks–andnotjustbycheckingthebehaviourofthemalware

processes,butbycheckingforknowntechniquesusedinPowerShellattacks–e.g.useofencoded

PowerShellattacks.

20

21

SolidbrowserexploitdetectionviaURLanalysisFinding

TheURLanalysismodulewasabletodetectin-the-wildexploitkitslikeRIGorSundownonliveURLs.

TheexploitkitstargetedvulnerabilitiesinInternetExplorerandinFlash.

22

ConclusionWefoundtheVMRaymalwareanalysissandboxtobeanexcellenttooltodetectmalicioussoftware,

documentscontainingexploitsormaliciousURLs.Thedevelopersofthesystemclearlyunderstandthe

threatlandscape,anddevelopedthesystemaccordingly.Itishighlyrecommendedfordigitalforensics

andincidentresponse(DFIR)professionalsandaspartofasuiteoftoolsforCERTs.

VMRAY MALWARE ANALYSIS SANDBOX EFFICACY ASSESSMENT · There are three main type of attacks where attackers can detect the malware analysis sandbox, and change the malware behaviour

Documents