Over recent years, we have seen a rapid evolution of security products. Whenever a new technology is introduced, it tackles shortcomings of its predecessor, but also faces new challenges as attackers adapt to the changing security landscape.
Recent media coverage drew a lot of attention to a new variant of the Dyre/Dyreza malware family that is evading traditional sandbox-based analysis systems. At the same time, F-Secure highlighted similar tricks found in Tinba malware. Not only are individual families starting to detect and evade traditional sandboxes - it’s becoming a much more global and mainstream trend, as we covered recently at RSA.
A recent post in our series The Hammer Strikes describes how we allow any security solution to play in our sandbox, which allows integration of the Lastline platform with other technologies already present in a customer environment.
But what if malware doesn’t want to play in your sandbox?
In this post, we highlight how malware behaves in a FUSE (full-system emulation) analysis environment, how even evasive samples can still be detected, and that it’s time to let go of traditional sandboxing approaches, as they are falling further and further behind.
Many recently-discovered sophisticated attacks against Windows users have been found to use at least one component executing in the kernel of the operating system. Examples for such APT attacks are Equation, Regin, Dark Hotel, or Turla/Uroburos, and they have received a lot of scrutiny from the security and research community.
These threats are particularly pernicious because their kernel components are running with the highest level of permissions available on a computer system. As such, it is very difficult for traditional antivirus systems to detect (or protect) a computer system from these attacks, because the attacker is running with the same (or higher!) permissions as the AV solution.
At the same time, it is far from trivial to analyze such kernel-based APTs inside a traditional sandboxing system, as kernel behavior often lies outside the scope of what can be monitored using traditional hooking mechanisms.
In this post, we will show how the latest release of the Lastline Breach Detection Platform using a full-system emulation approach defeats even the latest version of kernel-based attacks. In a series of follow-up posts, we will focus on individual APT families and techniques, and detail how our sandbox can be used to analyze and detect these threats.
Every AV I've tested is helpless against Violent Python attacks; the only good defense I've found is @LastlineLabs— Sam Bowne (@sambowne) May 27, 2014
Earlier this week, Sam Bowne (@sambowne) posted a nice example of how to write a simple keylogger in a few lines of Python. He used this code to evaluate a few sandboxes, including Lastline. The full code can be found on Sam’s blog, but the essential lines can be seen in the following snippet of code:
One notorious functionality present in many variants of today’s advanced malware is the ability to steal sensitive user information. Taking control of a targeted machine, an adversary has basically unlimited abilities to secretly monitor the actions performed by an unsuspecting victim who uses the infected machine. The type of data stored on a typical machine, and to which the attacker has access to, ranges from user account credentials (such as usernames and passwords), to financial data (such as credit card numbers or transaction secrets), and even personal data (such as social security numbers).
Very often, malware is specialized in capturing and identifying different types of information typed by the victim, allowing the collection of very specific information in which the attacker is interested. Typical examples are information entered in a login form for a specific URL, or values that resemble social security numbers (SSN) or credit card numbers.
Fighting traditional sandboxes (or dynamic analysis systems in general) typically comes in the form of detecting the analysis environment or evading analysis through means of behavior triggers as mentioned in a previous blog post: Using High-Resolution Dynamic Analysis for BHO Trigger Detection. Some variants of the notorious Zeus trojan family use a different approach to hinder analysis: Host fingerprinting.
In this evasion technique, the malware sample computes a unique fingerprint of the host when it infects the system and embeds this fingerprint inside the malware binary. Whenever the malware starts execution, a new fingerprint of the host running the program is computed and compared to the original host’s fingerprint. This enables the malware sample to detect if it is running in an unexpected environment, and to take different set of actions in this case.
Looking at how malware analysis engines evolved over the last decade, the trend is quite obvious: Dynamic analysis systems are replacing purely static ones or at least combine elements from both approaches. While the advantages of dynamic analysis are convincing - resilience against code obfuscation or encryption - attackers have various techniques at hand to complicate dynamic analysis and possibly evade these systems.