BSides Toronto 2019 Brandon Mesquita

okay hello good morning thanks for having me thanks for coming my name is Brandon mesquita we go through some evasive now our techniques today and a few of thoughts on what we can do about them so I am with Cisco I work with AM threat great on the research nikka C team this is my first conference talk so nice setup hopefully uh it goes well I don't think I can sweat 40 pounds of bullets at the moment but we'll see so I've spent about 10 years a little over 10 years in the industry reverse engineer throughout the course of that of mostly spend my time hacking on VM somehow either virtualizing something strange or implementing some new piece

of hardware so the past six years though I've been with record which is metal analysis sandbox and there have been mostly trying to get all those nasty samples to actually execute in our in our sandbox so it's been pretty exciting journey going through all the different things well I'll show some shows some of them today in addition to that I'm also working on indicator creation so we're getting some information out of the facts that are generated in the sandbox and also expanding some of the features that we present so pervasive malware it's kind of a nebulous term I've kind of slotted these into three general places here one would be the ante analyst slot dealing with code

obfuscation dead code things that are trying to mess with you as the analyst either wasting your time wasting energy things of that nature the other slot would be anti tool kind of malformed files so your your program can't really parse the thing you're trying to analyze but usually you know the program that runs it does just fine this also can include some some adversarial like some some bad ways to corrupt your tools there aren't really too many of those these days at least I haven't really followed any recently but uh back in the day they were vulnerability and Wireshark and other tools that uh especially crafted files could take advantage of finally there's anti environment which

is what we're going to focus on this includes like detecting malware detecting itself inside of a sandbox - like targeting or avoiding certain certain machines and based on whatever purpose they might have so sandbox is first Sam boxes are based on virtual machines for that we have quite a few ways to run virtual machines these days but like for top ones up on the list or at least for most common VMware of course Katie and the qmu VirtualBox hyper-v but there are quite a few sandbox is leverage these virtual machines along with some extra of components for instrumentation to be able to see what's happening inside of those VMs to get some information out for our purposes malware Sam boxes are

trying to figure out what the file is doing isn't malicious or not in some cases and may be generating some intelligence and there are quite a few of Sam boxes available today the record of course so any choice choose KooKoo sandbox is their hybrid analysis in Iran but there are many many more and each have their own special specialties own quirks perform differently in different situations alright so for sandbox evasion techniques I've kind of categorized them into these five groups so there's Network Information time hardware software behavior just different ways to try and and and put you know put these things in a box to see how we can attack them and analyze them so first off with

network information we can generate some location information so there's a there plenty of GOI GOI P services out there geoip max mind are pretty popular from what I've seen these will give back information on possible entry are coming from longitude and latitude guesses just very varying levels of specificity about where you're coming from so malware can treat this information in different ways they can have white lists for allowing only certain countries through or it could be implemented in black lists where if you're detecting if they're detecting that you're coming from a certain place like North America and the slide here things will not work this can be to eliminate places that are commonly housing security professionals

it could be targeting for specific regions just depending on whatever the malware authors have in mind at the time well in addition to the location information a lot of these you IP services will include extra information about the IP whatever might or whatever they might have in the database this can include industry information ISP names some description about who owns the IP address that is detecting so if I lighted a couple things here there's a some vendors Cisco Systems of course Rackspace things come from a data center or associated with security there's there are many different ways you can that the mousers have implemented checks to prevent or to target different systems just just based

on doing a quick query to two web service and from there the malware can either stop its execution execute differently it's really it's hard to tell sometimes okay so to overcome this really it's a little difficult to to put in approximate catches all the cases you kinda have to know a priori to how about how to handle or how to spoof a response from Max mine in this example or from whichever geoip vendor the malware is is looking at so really kind of the the best response to this I think would be to to come out using a an exit node somewhere that is appropriate for your malware and depending on on the sandbox platform you're using if it's paying a

vendor you might have a better chance of that if it's a self hosted thing then that could be a little prohibitive to just depending on how your system is set up but that does allow a native and real response from whichever service they might be using and could allow for their execution or for you to get the the special payload okay so time is another big category of course sleeping is highlighted here so with sandbox is usually you're running in a limited time slice fourth record we default at five minutes other sandboxes have various run times associated with them there's also some flexibility too depending on who you choose so as a counter attack counter

step four that officers have placed in sleeps this is kind of an easy example from another vbscript our macro rather and it's sleeping for about two hours in total here so this is usually going to reach outside the bounds of a normal runtime inside of a sandbox though with a normal user they might leave their computer on all day especially in the business scenario when they're not following those process guidelines of shutting off their servers and they don't need them so we have a higher chance of weeding out further execution on from within a sandbox and only targeting real users for forgetting around this depending on how how the sleep or how them how the authors how

the authors have implemented their sleep for using something on the system level hopefully your sandbox instrumentation can'tjust is not just limited to reading something but might be able to detect that there is a large sleep value and tweak it there could be fun games you could play with how the virtual machine runs its clock so two hours in in VM time might actually be twenty seconds in reality it really comes down to what the the software using supports so similar to sleeps there are busy weights so these are a little more insidious here we have a large number for the for the bottom inside of this this tight loop so with busy weights or you're getting an effective sleep by

wasting time doing some steps and instructions that don't affect the larger program as a whole or it might it might leave some other traces to the point is to just spend a lot of time doing something to not obviously be sleeping and again the same with the instrumentation if you're if you're watching for the calls if there are in fact say API calls that are inside the loop as in this example then there are some ways you can get a a count maybe have a have a limit on how many times something is being called within a short amount of time and and trigger some sort of warning that way but even then some of these busy weights can be very tight

non API driven call like just a counter that's going up nested maybe four or five times deep so it's really hard to detect these things depending on how they're implemented Oh another mention with time there also some evasions that are specific to dates so we've come across a couple samples that only work on Wednesday for example and or they might only function for up until maybe like the January 2017 and after that everything shut down not just on the on the command control side but the actual malware that's running will detect the date and then change its behavior typically we've seen the the behavior terminate but it's just as easily employment to do something different

this could be anything from from getting a red herring downloaded maybe miss attributed some threat intelligence that's being generated through the sandbox or just trying some some old attack that didn't that the malware authors know wasn't going to work anymore okay so we can also do checks for different software here this example of the this is from a net application that pulls down a list of processes and checks the the query list against a known a blacklist essentially that's stored within it so these these checks for antivirus software can can cause the malware again to either stop its functionality or change to a different tactic and these checks aren't just limited to looking for active processes so we've seen

checks against the file system where you're looking for trace files maybe a DLL associated with a particular AV vendor or some other some other files such as for example clams signatures that are downloaded same is true for debuggers here it's the same program but it's checking for a for an actively running all a debug process and this of course can be a range of different other debuggers range but if another software that still get checked in much the same way you can go through and verify running processes and also for looking for auto also looking for artifacts on disk typically though with the debuggers they're from what from what I've seen they're looking for active processes not

so much the trace the trace disk components and it's usually to to combat anything actively being good to combat the malware being actively debugged so this is in addition to any like is debugger present checks that might be at the beginning of the program and this extends to analysis tools as well so slightly different program here we're calling WMI to to get a list of applications and and checking that list against a blacklist through a process Explorer Wireshark and a few others so one interesting thing with this is as a defender if you're if you're not trying to get malware to run in the sandbox but you want to have now are not run on your

machine you can make dummy programs that or possibly can make dummy programs that have these names that trigger these detection and discourage the malware from I'm actually running never really looked into the efficacy of that precisely but it's it's one way you can turn the sandbox detection around all right so moving on to hardware this this group I kind of called the minimum requirements list where you must have in this example a dual core at least processor so again we're looking at WMI which is a very easy way to query for for the cpu count but there are many many other ways all the way down to doing some some tricks with the peb process execution block

just to get different information tways to get the same type of information we see a lot of WMI since it's very easy it's very accessible you can use it from a from a variety of different of implementations and in this case this is coming from another word macro so disk space is also another minimum requirement we see sometimes this is a little more complex but still still straightforward it's calling a device i/o control on on physical drive zero and then checking the disk geometry from there so you can do this to check to make sure this the disk size either the physical disk and such as in this case or the the c drive the partition is of sufficient size with

sandbox is typically they're trying to vendors are trying to run them as many of them on one machine as possible so you try to limit the the footprint of each VM on the disk so typically the disks are usually a little small there are of course depending on which on the software different tricks to make the disk seem larger than they actually are on the server but in lieu of that the disk will typically be much much thinner than we would see in reality so having a sandbox present a one terabyte hard drive is less likely than something that's maybe 10 gigs or 15 gigs whatever minimum that might be there might be for the particular operating system and the

set of tools that requires it okay so I run a real devices real of course cuz we're in a virtual machine this is checking for Strings that are coming from the BIOS so different vendors such as the ones we have listed here VirtualBox VM ware and with KTM keonu we'll leave some identifying strings in various places throughout the the hardware that they're emulating this check here of course very simply queries WMI again to get some of the get access to these strings and then check them and depending on on the on the software again you're able to possibly tweak the source or maybe there's a command line parameter some aspect of a way to twiddle the the knobs a bit to not make

them present what they might present by default in this in this piece of data conversely as somebody who wants to prevent malware from running on their system the this this BIOS call and then the next one I'll get to both actually are stored in the registry they're they're not written to like a the registry file on disk but it's populated on on boot these are things that you can change while the machine is running but not necessarily get commit back to disk so has to be done each time you can make your machine look like it might be VirtualBox or VMware or something else by tweaking these uh these registry keys so that could also discourage more some

malware from running on your machine though the trick with that is that some installers depending on which company they come from are very adamant about not being run on virtual machines so some third-party software can get upset about not being on a real machine if they are using the same sort of detection okay so here similarly this is another document macro nicely obfuscated now but this is reading us some mess in BIOS information this is more traces of a virtual machine that a virtual machine you might put into some of the hardware it's simulating here we see that W my query 432 computer system that brings down some information like the serial number it's stored in their manufacturer model

of the processor motherboard information depending on the flavor of the computer system query of the WMI query at the bottom it's checking again for those those damning strings cute redhead virtual VMware in Xen and the same story here with the bios these are populated typically in the registry at boot and can be manipulated for for that boot time and the next real device would be printers so there are of course some defaults fake printers that windows typically has people who run sandboxes normally don't add extra hardware that's not necessary things are may be tweaked a little bit but for the most part left at the default and that's the assumption that these authors are going for here so

they have a list of typical software printers that might be available on most machines after installing office suite or some other third party utilities and also ones that come with come with Windows by default the application on active printer call here looks for the default printer essentially and compares that against that list so if you don't have another printer installed or set as a default then you can trip up your you can trip the sandbox detection or in the case of a real machine if you're trying to not be susceptible to this type of attack you can set one of these software printers as your default and and get by at least with this this malware I still

have a printer attached to your machine but they think you're a sandbox because one of the software printers is the default one all right so this is more behavior side now an active behavior so input detection is very very common and I finally found a good gift to help liven things up I'm not really good at finding funny gifts apparently but so when this in this code snippet it's grabbing some a timer value get tick count it's getting the tick count from the last time input was recorded this could be keyboard or mouse and then comparing them and if the difference is small enough for thinking comes down to like 0.1 second then that malware thinks

that there's no activity there's no input detection so then it quits out early so the various ways to get around this depending on your vendor you might have some capability of getting into and manipulating the the sandbox directly say something similar just like a VNC session getting in there and moving us your self but that doesn't really scale too well other options can be having some automated process to to emulate inputs like the Sipi bird is doing here just don't blow up the nuclear power plant but uh but this this unfortunate doesn't really have a way for us to to use it as as a as a way to keep malware off of our personal systems basically you just

don't touch the computer which means you're not using your computer okay so other active behaviors are on close macros and this this is both for office documents PDFs and variety of other things the auto close call here triggers when you have a if it's inside of a Word document when you close that document so it's a function that gets automatically called upon closing and things get executed so with uh with sandbox sandbox is typically good at launching things and then what happens it sits and waits for its run time and then everything gets unplugged but the the processes that are running don't actually get individually turned off so this this evasion mechanism is trying to leverage

that by assuming that somebody who's running this in a sandbox won't ever close the thing and the macro whenever run however a real user would eventually close a document or at least we'd hope so well seen tabs on my browser I don't cause anything but uh but forward definitely want to get off a get off of word get out of the the work mode and that would that would in fact trigger this this effect so for for getting around this having having some way to automatically close programs before shutting down our runtime for for VN could be capable when certain vendors or not that's this is also very closely linked to having a automated input as

seen in the input detection previously okay so this is more of a behavior traces that might be on a system so this one's highlighting a a check of account of recent files one might have on their in their in their word history or Excel history or something like that the assumption here is of course that with sandbox is you're in a pristine state you're not used so there wouldn't be any recent files open right so but whereas a normal user would have you know tons and tons of documents open they're always using their machine so we're going to have traces of some activity in this case the the codes looking for at least three things three things three entries

inside the recent file list so typically with with word once you open a document it's automatically added to the recent files so you know if they were at three before with this this document open it would hit four and things would execute so one this this one is something we can use for our personal machines if you're constantly clearing out your recent file list you can get around things like this of course that's adding a lot of extra steps to do your day trying to eliminate traces of your activity on your system and it's definitely going to impact convenience but fortunately there are auto close macros so you can possibly implement a recent file clearing thing

in the auto closed macro okay another thing you can do from a word macro for some reason is see the active tasks that the window that Windows is running yes in this case it's looking for quite a few number of active tasks these tasks can add up very quickly with different implications of SVC host and a lot of other things that windows are typically doing but it's banking on the idea that a normal user would have multi programs active at the same time so the these authors kind of gauged their their their guests at 50/50 results from bullying tasks countdown and assuming that anything less than that would be a sandbox so again with sandbox as their

assumption is we're going to launch the thing that you give us but not necessarily have all these extra things running so one way to get around this again for for your own machine would be to only do one thing at a time which isn't also very practical but at least you get focused alright so the list of techniques they gone over that I've gone over today are definitely not comprehensive like there are lots of other different ways of doing things some more subtle than others and there are a couple great projects out there that try and sum things up to help us check our machines one of them is PA fish I've got the the link up there

this is readily findable on on Google I guess the slides will be available at some point as well so PA fish started out just as AC program but other other companies have taken the idea and implemented their own versions implemented one in in a word macro there were a couple slides that had some of those some of those screenshots in them but it's it's a very easy yes/no pass/fail sort of way to check things and it goes through a wide variety of checks and tests do you have a really good idea of how susceptible your machine is or how much your real machine might look like a VM to some places and depending on the age of your machine and

the the components that are attached to it some some real machines can look very much like like a virtual machine an alternative is al-qasr it's basically the same idea as pee a fish just different different developer and they often have a different set of VM checks as well so there's quite a lot of crossover though but they're still they're still good to have on either side all right so thanks in summation I hope this has been a pretty good introduction to some evasive technique now our techniques hopefully he got some juices flowing if you have ideas about different ways we can check for vm's please check al kaiser and PA fish to see if the techniques known if

it's not then you know definitely added it's an open source project it benefits the community and just any other ideas for for evading the evasions are always really fun to think of so thanks any questions hey thanks a lot for the talk it was actually very informative in the sample in the samples that you've analyzed historically have you noticed a lot more of these evasion techniques being effective in samples created by nation states versus organized crime or just you know some script kiddie can you talk a little bit about that oh so attribution is really really difficult and I don't always have the information about where these these samples are coming from with the record

we have our customers from all over sourcing their samples and sending them to us basically just catch what falls out so I really don't know where exactly they're coming from but um just just based on some of the the types of implementations we've seen there's some really easy on office gated word macros that are doing some some type of VM detection that was likely some sort of script Kitty thing and they go up to very easily identifiable pattern type of obfuscation especially in the in the the document macros so those might be maybe more commodity linked with organized crime and I've personally come across a couple really really good and thorough PE files that are doing all sorts of

different detection tactics so you can see maybe guess that might be a nation state level but I really I really don't know just gauging based on how how difficult it is to figure out what they're looking for and the number of things that they're looking for could be indicators for which which bucket those by I fall into so my question is I know a lot of security vendors out there are selling solutions that include a sandboxing component I'm wondering if you're aware if they're incorporating these this type of evasive techniques and into those products to ensure that you know they're not getting fooled by that or if you're aware of anything like them I definitely

know my product and we do but for other products I would assume so it's it's almost necessary these days some of these techniques are very very simple to implement and they're going to be part of any like a be testing some perspective customer might do so it's it's really necessary I think but the what to the level at which each vendor goes is really hard to say one question is what in your how how much percentage or how much how many of the malware that you've seen actually implement either basic or really advanced evasion techniques that I've seen personally that that's a high percentage but from what the record processes it's it's probably a lower percentage just based

on the sheer number of samples that we process and the ones that fall to to me or my team are going to be those special cases that need an extra how effective is it to make your own machine is that is that do you think that's a legitimate way to hide from moer I don't know it seems like it should work right if you're if you're coming across these things on your on your machine then that's definitely one way to stop them how much that impacts a day-to-day functionality is it's probably a little it's probably gonna impair things a bit but I really don't know that but somebody else turn that into a product if they wish

it's a crazy enough idea just might work

how effective is it to look for some of these tests in in a static detection eye environment you know I Dan dynamic for those who don't know you're you're actually running the software and seeing its behavior in static detection which can be faster you're looking for you know loops and and things like that that that might be alpha station techniques how many of these can be easily tested in a static environment quite a few of the examples I showed can be actually for some of the harder loops that you mentioned at the end some sort of symbolic analysis might maybe might be effective we haven't quite gone into that level or them but there are other

depending on how good your static analysis is if you're able to do scape macros slightly or know what they're actually trying to call or if you can see the imports for a particular PE and make some assumptions based on on those things then you can have some pretty decent maybe not a 100% indication that this is doing some sort of VM evasion but uh at least something to know that you should look at this and that's of course aside from just straight-up detecting those sensitive strains like you know VMware kayvyun those sorts of things and we have one last question over on this side so I haven't looked at this stuff in a while but back in the

day we had seen evidence of samples that would look for things like to obfuscate or to check the time thing they would actually look to see what time it was out in Google and Apple to see if they were in a sandbox or being time pushed and the other thing was we'd seen some samples that would actually look to see what their gateway was so that they knew that they were in the Target Corporation I guess they'd mapped all the proxy ip's do you still see those kind of samples today or is that something that they've moved away from I personally haven't come across the the latter parts you've described you probably find some if you know we've

got quite a big database to go through but the former yes and having checks outside of just the regular system clock we've definitely seen those and its really annoying when they check Microsoft's time because then we just Chuck that up to Windows doing its thing yeah thanks everybody [Applause]