Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected

11/15/2017

1

Lenny Zeltser

VP of Product, MinervaAuthor & Instructor, SANS Institute

How to Beat Evasive Malware at Its Own Game

Copyright © 2017 Minerva Labs www.minerva-labs.com

Creators of malware have incentives to evade anti-malware products.

• Attackers often tweak and test malware until it’s no

longer recognized by the relevant anti-malware tools.

• The longer the specimen remains undetected, the

greater its commercial and operational value.

• Staying under the radar of security products and

vendors extents the specimen’s half-life.

11/15/2017

2


Malware can employ numerous techniques to evade detection.

• Avoid infecting a malware analysis sandbox.

• Stop running if the specimen is being debugged.

• Inject malicious code into legitimate applications.

• Instead of executables, use Java, scripts, macros.

• Don’t create operational issues to eschew attention.

How to Escape the Malware Chase?

11/15/2017

3


Anti-malware tools generally aim to recognize malware to block or disable it.

• This involves defining “patterns” for how malware looks

or behaves, so its files or processes can be identified.

• Security vendors often strive to extrapolate from past

malware samples ways of spotting future malware.

• Evasive malware varies from the expected static or

behavioral patterns to avoid getting detected.


How might we avoid cat-and-mouse dynamics of the malware chase?

• Instead of looking for malware, create an environment

where malware self-convicts and disarms itself.

• Determine what malicious programs fear, and mimic

the presence of those artifacts to deceive malware.

• Draw inspiration from applied security research and

from defenses used in nature, such as mimicry…

11/15/2017

4


Some harmless species have evolved to imitate the signals of a harmful species.

A Few Examples of Evasive Malware

11/15/2017

5


Adwind is a powerful remote access trojan (RAT) with low detection rates.

• Implemented in Java

• Often distributed email attachment files

• Provides full remote control and spying capabilities

• Compatible with Windows, Linux and Mac OS


To evade security vendors, Adwinddoesn’t infect virtual machines.

Check for VMware and VirtualBox artifacts.

11/15/2017

6


UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation.

• Targets a Windows vulnerability to execute arbitrary

code on the affected system

• Exhibits file-less characteristics by not saving

malicious components to the file system

• In addition to encrypting files, also steals credentials


UIWIX stealth methods involve avoiding execution if it was being analyzed.

Check for numerous malware forensics tools.

11/15/2017

7


Neutrino is a multi-purpose bot with powerful capabilities.

• Includes a keylogger and other data-stealing features.

• Can participate in DDoS attacks.

• Allows the attacker to supply additional malware.

• Implements several evasive anti-analysis techniques.


Neutrino’s evasive approaches include checking whether it’s being debugged.

Malware checks for the presence of a debugger in an attempt to avoid being examined and fingerprinted.

11/15/2017

8


Malicious programs can employ many other techniques to detect debuggers.

In this example, FileCryptor malware avoids the obvious IsDebuggerPresent API call.


Other evasion methods include injecting malicious code into legitimate processes.

• Baseline anti-malware tools are unlikely to flag the

compromised legitimate application as malicious.

• Code injection can take many forms.

• These tactics misuse features of Microsoft Windows

without requiring vulnerabilities or exploits.

11/15/2017

9


Reflective DLL injection is one way to place code into another process.

Windows APIs allow the malicious process to write into the memory space of another process.


Executing malicious code as macros is another example of evading detection.

• Baseline anti-malware tools tend to have a harder time

recognizing malware that’s not an executable file.

• Microsoft Office macros provide full capabilities to

malware if the victim activates the document’s macros.

• Modern malicious macros tend to invoke other tools,

such as PowerShell, when infecting the system.

11/15/2017

10


The program that a macro wishes to invoke is executed by Microsoft Office.

Security tools might allow this to happen, since the action is taken by a trusted program.

Perception Deception

11/15/2017

11


How might we defend against threats without trying to identify malware?

• Create an environment that causes malware to self-convict, so the specimens disarm themselves.

• Make it look like the malicious program is running in an environment it considers hostile.

• Lie to malware when it invokes API calls that are often used for evasion.

• Control the perception of malware to render it ineffective.


RocProtect by Thomas Roccia generates fake processes, registry keys, files, etc.

• The artifacts make the system look like an analysis environment based on a VM with some security tools.

• It’s highly unlikely that a non-malicious program will refuse to run just because it believes it’s in a VM.

• In contrast, VM-aware malware will terminate itself before infecting the system to remain unidentified.

• This is a proof-of-concept tool.

11/15/2017

12


You can see the effects of RocProtect by running the Pafish demo tool.


Another proof-of-concept tool is rapid_env by Adam Kramer.

• Allows users to specify a configuration file for creating

specific artifacts on the system.

• It can generate designated files, registry keys,

processes and mutex objects.

11/15/2017

13


For additional experimentation, look at Gal Bitensky’s “anti-honeypot” scripts.


Manipulating the perception of malware can also be used to vaccinate endpoints.

• Malicious programs often create an infection marker to avoid infecting the system more than once.

• This avoids operational and stability problems.

• Such malware will not infect the endpoint if it locates its infection marker.

• In other words, we can use an infection marker to scare malware away.

11/15/2017

14


For example, the WannaCry worm used a mutex object as an infection marker.

Minerva’s free Vaccinator tool generates this artifact to inoculate systems against this malware.


Some infection markers are not static, and have to be generated on the fly.

For instance, Spora ransomware generated its mutex name based on the disk volume serial number.

11/15/2017

15


Beyond proof-of-concept tools, deceiving malware in the real world is challenging.

• Actually generating artifacts leads to cluttering

endpoints with files, processes, registry keys, etc.

• Resource utilization and performance are critical.

• Anti-malware tools might react to infection markers.

• You need to avoid breaking production applications.

• Enterprises require centralized management.

Thinking Beyond Detection-Based Approaches

11/15/2017

16


There is a way to use evasive capabilities of malware against attackers.

• Cause malware to disarm itself by deceiving it about the results of its queries and actions.

• Create an environment that represents the greatest fears of malicious programs.

• Persuade malware that the system is already infected.

• Look for other ways to control malware without attempting to identify and disable it.


“Hacking” malware like this blocks threats designed to bypass existing defenses.

• This approach creates a strong complement to

existing anti-malware solutions.

• Force malware authors to pick their poison when

designing malicious software.

• Proof-of-concept tools help with experimentation.

• Production deployment requires enterprise products

11/15/2017

17


Keep learning about fighting malware.

• Follow-Up: [email protected]

• Research: minerva-labs.com/blog

• Twitter: @MinervaLabs

Documents

Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected