Malware ingenuity isn’t limited to its functionality or its ability to propagate. Sometimes malicious code has to have guile to survive.
That means for the most part having an innate understanding of when it’s being analyzed by a security expert. Numerous samples from different malware families have demonstrated cunning ways to evade detection, for example, refusing to execute if it detects that it’s being opened inside a virtual machine, or whether a remote desktop protocol connection is being used to look at code. Others will sleep for a defined period of time before executing, waiting perhaps to detect mouse movements to ensure that a human is at the wheel, and not some automated code scanner.
Survival is paramount, in particular for targeted attacks where any combination of old or new malware is in play. For the researcher, staying ahead of the game means constant enhancements to analysis gear such as sandboxes. At Black Hat next week, researchers Claudio Guarnieri, Mark Schloesser and Jurriaan Bremer will conduct a session on malware evasion techniques and conduct demonstrations using their open source project, Cuckoo Sandbox, a 2½ year old technology that is a staple with many researchers, as well as enterprises and government agencies. The sandbox can be customized to extract configurations for malware ranging from banking Trojans to botnets or malware used in targeted attacks.
Sandboxes are the equivalent of a clean room where malware can be executed without harming production environments and behaviors can be analyzed. Malware, in turn, wants to go anywhere but a sterile area.
“Consequently what malware tries to achieve is detection of the sandbox environment,” Guarnieri said. “From there, it attempts to interrupt the execution as to not reveal its nature; for example, not show which domains they would contact or which files they would create.”
One occurrence that’s helping researchers in their fight against malware detecting sandboxes is the availability of the Citadel source code. The notorious banking Trojan emerged after the source code for the Zeus Trojan was leaked in 2011, and it employs a number of evasion tactics including the ability to detect files and processes used by virtualization software, make comparisons against known profiles of online sandboxes such as Anubis, or sleeping until recognizing what it interprets as human movements. Again, in classic cat-and-mouse style, both sides of the aisle are learning; Cuckoo Sandbox for example can be configured against the third capability above.
“Specifically we are able to bypass sleep bombs by intelligently skipping sleeps and Cuckoo Sandbox is also able to emulate user interaction by moving the cursor and clicking the mouse buttons,” Guarnieri said. “Cuckoo Sandbox is nowhere near perfect, but with a proper configuration, it can get to a very high success ratio. Therefore, we are not prioritizing this cat-and-mouse game against malware writers, but rather focusing on extending features and improving overall stability.”
The availability of Zeus and Citadel code, however, lowers the cost for attackers to employ some anti-sandboxing techniques.
“A lot of the sandboxing tactics can be easily bypassed,” Guarnieri said. “However, users have to understand that a sandbox is a support tool for quickly processing large amounts of malware: you’ll never reach 100 percent accuracy as there will always be ways to detect or profile it. The goal of a sandbox is to have a good success ratio and to shoot for quantity, rather than accuracy on single samples, in which case you’ll always be better off by doing manual analysis.”
File-level sandboxes such as Cuckoo and others can also be configured to eliminate some reverse engineering of malware samples for incident response teams; the technology’s ability to identify the nature and family of the malware in questions, as well as command and control domains and IP addresses related to a particular attack often suffice.
“These tools can process a large amount of malware samples automatically, collect and digest the results,” Guarnieri said. “This is a great resource for incident response teams who want to collect threat indicators or identify specific attacks among a large repository or feed.”