French Security Consultant Researcher Working at McAfee Foundstone Malware Fighting Incident Response Threat Intelligence Red Team Assessment Education 2
goal of this presentation? The increasing malware threat History of malware protection Why malware use self-defense techniques? How does a Malware succeeds in infecting me? Overview of Malware protection Unprotect Project Conclusion Overview
this presentation? Introduction Understand why Antivirus engine doesn’t detect new generation of malware? Understand why Sandbox tools are not sufficient in front this threat? Understand why a Malware Analyst can fall into the malware tricks? Introduce the malware protection techniques and how to defeat them. Introduce the Unprotect Project. 4
Today the malware threat is really increasing and lot of stolen data are sold in the underground markets. Malwares are new weapons used by a lot of actors: Governments Spies Hacktivist Mafia Even kids Remain undetected is vital for a malware. The challenge is huge for attackers and defenders. 5
The history of malwares began in the 1970s, but the history of malware self-defense didn’t start before the late 1980s. The first virus that attempted to defend itself from antivirus utilities then available was the DOS virus Cascade. It defended itself by partially by encrypting its own code. Two years later, the first polymorphic virus appeared: Chameleon. It used complex encryption and obfuscation methods to protect its code. Until recently, antivirus programs exclusively worked by analysis file codes. It is now becoming more complex with heuristic approach and threat intelligence. 6 https://securelist.com/analysis/publications/36156/the-evolution-of-self-defense-technologies-in-malware/
Defense Techniques? Introduction Cyber-criminals invest time to create a coriaceous programs. Some samples are really advanced and contain a lot of functionalities. The protection and self-defense are vital for the Attackers to avoid wasting several months of work. A lot of techniques could be implemented and we can classify them into 3 categories: Anti-SecTools (AV, Firewall…) Anti-Sandbox: detection of automatic analysis Anti-Analyst: detection of manual analysis Some techniques are common to these 3 categories. 8
in Infecting Me? “I have the last update of the AV but I get infected” Most of the time the AV engine detects the malicious payload but not the wrapper. A lot of techniques can escape from the AV. Best practices are not always respected. “I bought a really expensive sandbox, but when I run a malicious payload it is not detected” Sandboxes are often misconfigured, which prevents them from detecting malware A lot of information can be retrieved by a malware. “I spent a lot of time to analyze this sample but I still get confused and don’t understand it” Obfuscation, packer, anti-analysis, give the analysts a hard time. 9 Overview
does a Malware Succeed in Infecting Me? Most of the time an Antivirus engine is based on: Signature detection Scanning functionalities Heuristic engine A Malware can escape from these functionalities by different techniques: Adding Antivirus exceptions Disabling an Antivirus Using the Sleep Method Using Code injection Etc. 10
a Malware Succeed in Infecting Me? Sandboxing is the current fashion security tools but also the easiest to use to quickly understand a malware. However a lot of misconfiguration allow a malware to detect this analysis environment. The way to avoid this detection is to provide a real user machine, but it is difficult to maintain. Some security tools can help you to harden your sandbox. 11
a Malware Succeed in Infecting Me? A lot of tricks can be used by a malware to defeat the analyst. It is sometimes hard to bypass the protection and very time consuming. Some malwares are prepared to face analysis tools and try to improve their self- defending techniques to remain undetected and incomprehensible. Packers, anti disassembly, anti honeypot, obfuscation and more… are part of the attackers‘ arsenal. The goal for the analysts is to remove these protections to better understand the behavior of the sample. 12
Malicious software in the Windows environment has typically been armored, packed, encrypted or obfuscated to protect itself from classic reviews. There are several ways to avoid detection and analysis. Packer VM/Sandbox detection AV evasion Anti-disassembling Anti-debugging Obfuscation … 13 Overview
A Malware often uses obfuscation techniques to avoid detection and analysis. Obfuscation is the fact of obscuring the intended meaning in communication, by making the message confusing, willfully ambiguous, or harder to understand. Malware obfuscation serves the one ultimate purpose: Survival. 15
Overview of Malware Protection The XOR operation is the most common used by a malware. This is because it is really easy to use to hide data. Basically a key is used and creates the cipher text. XOR is a reversible function that means it uses the same function to encode and decode. The XOR operation can be brute forced to obtain the key. XORsearch or XORStrings can be used. 16 https://blog.didierstevens.com/programs/xorsearch/
Malware Protection A Malware also uses many other methods to obfuscate its content. ROT13 (Caesar) Base64 Common Cryptographic algorithm Custom encoding Visual Basic encoding Commercial obfuscator Hash algorithm Packer 17
Malware coders often use packing in order to make the analysis more difficult. They sometimes contain multiple layers of armoring/packing. Many coders commonly use packers – some of which are used by commercial products. When a packer program is running the malware is unpacked. 18 Wrapper Program Packed Executable (non visible in static analysis) Original Executable
Protection Process hollowing is a technique used by a malware to inject a malicious code into another process. For example a sample can create a notepad.exe process and inject its payload. To make process hollowing, a sample will use the following function: CreateProcess: in a suspended mode with the CreationFlag at 0x0000 0004. GetThreadContext: retrieves the context of the specified thread. ZwUnmapViewOfSection: Unmaps a view of a section from the virtual address space of a subject process. VirtualAllocEx: allocates memory within the suspended process’s address space. WriteProcessMemory: writes data of the PE file into the memory just allocated within the suspended process. SetThreadContext: sets the EAX register to the entry point of the executable written. ResumeThread: resumes the thread of the suspended process. 19 http://www.autosectools.com/process-hollowing.pdf
Protection Process hollowing is basically used to avoid detection. Usually a sample will create another process. It can be observed with a tool that monitors the activities of the sample. 20 http://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/
The Windows API provides some functions that allow a malware to detect if it is currently being debugged. If a debugging setting is detected, the malware terminates its process or changes its behavior to fool the analyst. Several anti-debug functions used by a malware: IsDebuggerPresent: Searches in the PEB (Process Environment Block) structure if IsDebugged field has a non-zero value (Which implies a debugger is running). CheckRemoteDebuggerPresent: Similar to above, does a simple check for itself or any other process, needs a process handle as input parameter. FindWindow: WinAPI call to check if a window with a certain name is present ("OllyDbg..") NtQueryInformationProcess: Retrieves Info about a specific process using its process handle. If it turns into a non-zero value which would be the port number, then the malware knows it is being debugged. 21 http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet/
Protection Unfortunately the malware writers are aware that many analysts are using virtualization to perform their analysis. It is trivial to build virtualization detection into the malware – which could cause a number of interesting effects: The Malware may simply refuse to execute It May act as a totally innocent utility / clean file It May Attempt to crash the virtual machine It May Attempt to exploit vulnerability to infect the physical machine 23
Technique Overview of Malware Protection The Red Pill is an anti-VM technique that executes the SIDT instruction to grab the value of the IDTR register. The IDTR register can be used only by one OS. VMware relocates the address of IDT for emulation with 0xFFXXXXXX. 24 http://www.simonganiere.ch/2012/11/20/malware-anti-vm-technics/
Overview of Malware Protection No Pill: Use of the SGDT and SLDT instruction for Vmware Detection. Detection of VM process (VmwareService.exe, VmwareTray.exe…). Detection of VM registry keys. Detection of hooking functions (DeleteFileA, CreateFile…). 25
be hard to remove. The main goal is to provide the first database about binary protection. The database is a Wiki with: Explanation of the protection technique How to defeat this protection 26 Overview
protection Unprotect Project The Unprotect Project is a database that aims to group all the protection and self- defending techniques used by malware and binary. The Unprotect is a project community based on contributors and on a Wiki. The goal is to provide to the security community and IT people a knowledge base to detect new generations of malware. Multiple goals: Provide knowledge about malware protection capabilities Provide information to defeat it against Sandbox and Security Tools Provide the way to manually unprotect for malware analysts 27
Wiki can be reach at unprotect.tdgt.org It regroups malware self-defense by classification All the people that want to add content can make a request to get account. Content could be: New or unknown malware protection Theoretical malware protection Adding an entry with full description (definition, code, unprotection…) Adding an entry with just definition field 28
I get an idea: 30 Why not emulated a Virtual/Sandbox environment in my physical machine to stay protected against malware? If a malware detect my fake environment, it will not run and I will not get infected J
malware analysis machine RocProtect I coded a quick and dirty POC that creates VM artifacts on a machine. RocProtect is an OpenSource POC coded in C++. The tool will create on your system: Fake registry key of Vmware/VirtualBox/Qemu Fake process (VmwareTray.exe, VboxService.exe, wireshark.exe...) Fake directory (Wine, Vmware Tools, VirtualBox Tools...) Fake files (vmouse.sys, vboxhook.dll, VboxGuest.sys...) Fake MAC address related to Vmware or VirtualBox 31
are the techniques that allow attackers to remain undetected. Many techniques can be used to evade Antivirus, Security tools and Analysts. Knowing these techniques can help the IT Security Industry to be more powerful against the malware threats. 33