Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
11/15/2017
1
Lenny Zeltser
VP of Product, MinervaAuthor & Instructor, SANS Institute
How to Beat Evasive Malware at Its Own Game
Copyright © 2017 Minerva Labs www.minerva-labs.com
Creators of malware have incentives to evade anti-malware products.
• Attackers often tweak and test malware until it’s no
longer recognized by the relevant anti-malware tools.
• The longer the specimen remains undetected, the
greater its commercial and operational value.
• Staying under the radar of security products and
vendors extents the specimen’s half-life.
11/15/2017
2
Copyright © 2017 Minerva Labs www.minerva-labs.com
Malware can employ numerous techniques to evade detection.
• Avoid infecting a malware analysis sandbox.
• Stop running if the specimen is being debugged.
• Inject malicious code into legitimate applications.
• Instead of executables, use Java, scripts, macros.
• Don’t create operational issues to eschew attention.
How to Escape the Malware Chase?
11/15/2017
3
Copyright © 2017 Minerva Labs www.minerva-labs.com
Anti-malware tools generally aim to recognize malware to block or disable it.
• This involves defining “patterns” for how malware looks
or behaves, so its files or processes can be identified.
• Security vendors often strive to extrapolate from past
malware samples ways of spotting future malware.
• Evasive malware varies from the expected static or
behavioral patterns to avoid getting detected.
Copyright © 2017 Minerva Labs www.minerva-labs.com
How might we avoid cat-and-mouse dynamics of the malware chase?
• Instead of looking for malware, create an environment
where malware self-convicts and disarms itself.
• Determine what malicious programs fear, and mimic
the presence of those artifacts to deceive malware.
• Draw inspiration from applied security research and
from defenses used in nature, such as mimicry…
11/15/2017
4
Copyright © 2017 Minerva Labs www.minerva-labs.com
Some harmless species have evolved to imitate the signals of a harmful species.
A Few Examples of Evasive Malware
11/15/2017
5
Copyright © 2017 Minerva Labs www.minerva-labs.com
Adwind is a powerful remote access trojan (RAT) with low detection rates.
• Implemented in Java
• Often distributed email attachment files
• Provides full remote control and spying capabilities
• Compatible with Windows, Linux and Mac OS
Copyright © 2017 Minerva Labs www.minerva-labs.com
To evade security vendors, Adwinddoesn’t infect virtual machines.
Check for VMware and VirtualBox artifacts.
11/15/2017
6
Copyright © 2017 Minerva Labs www.minerva-labs.com
UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation.
• Targets a Windows vulnerability to execute arbitrary
code on the affected system
• Exhibits file-less characteristics by not saving
malicious components to the file system
• In addition to encrypting files, also steals credentials
Copyright © 2017 Minerva Labs www.minerva-labs.com
UIWIX stealth methods involve avoiding execution if it was being analyzed.
Check for numerous malware forensics tools.
11/15/2017
7
Copyright © 2017 Minerva Labs www.minerva-labs.com
Neutrino is a multi-purpose bot with powerful capabilities.
• Includes a keylogger and other data-stealing features.
• Can participate in DDoS attacks.
• Allows the attacker to supply additional malware.
• Implements several evasive anti-analysis techniques.
Copyright © 2017 Minerva Labs www.minerva-labs.com
Neutrino’s evasive approaches include checking whether it’s being debugged.
Malware checks for the presence of a debugger in an attempt to avoid being examined and fingerprinted.
11/15/2017
8
Copyright © 2017 Minerva Labs www.minerva-labs.com
Malicious programs can employ many other techniques to detect debuggers.
In this example, FileCryptor malware avoids the obvious IsDebuggerPresent API call.
Copyright © 2017 Minerva Labs www.minerva-labs.com
Other evasion methods include injecting malicious code into legitimate processes.
• Baseline anti-malware tools are unlikely to flag the
compromised legitimate application as malicious.
• Code injection can take many forms.
• These tactics misuse features of Microsoft Windows
without requiring vulnerabilities or exploits.
11/15/2017
9
Copyright © 2017 Minerva Labs www.minerva-labs.com
Reflective DLL injection is one way to place code into another process.
Windows APIs allow the malicious process to write into the memory space of another process.
Copyright © 2017 Minerva Labs www.minerva-labs.com
Executing malicious code as macros is another example of evading detection.
• Baseline anti-malware tools tend to have a harder time
recognizing malware that’s not an executable file.
• Microsoft Office macros provide full capabilities to
malware if the victim activates the document’s macros.
• Modern malicious macros tend to invoke other tools,
such as PowerShell, when infecting the system.
11/15/2017
10
Copyright © 2017 Minerva Labs www.minerva-labs.com
The program that a macro wishes to invoke is executed by Microsoft Office.
Security tools might allow this to happen, since the action is taken by a trusted program.
Perception Deception
11/15/2017
11
Copyright © 2017 Minerva Labs www.minerva-labs.com
How might we defend against threats without trying to identify malware?
• Create an environment that causes malware to self-convict, so the specimens disarm themselves.
• Make it look like the malicious program is running in an environment it considers hostile.
• Lie to malware when it invokes API calls that are often used for evasion.
• Control the perception of malware to render it ineffective.
Copyright © 2017 Minerva Labs www.minerva-labs.com
RocProtect by Thomas Roccia generates fake processes, registry keys, files, etc.
• The artifacts make the system look like an analysis environment based on a VM with some security tools.
• It’s highly unlikely that a non-malicious program will refuse to run just because it believes it’s in a VM.
• In contrast, VM-aware malware will terminate itself before infecting the system to remain unidentified.
• This is a proof-of-concept tool.
11/15/2017
12
Copyright © 2017 Minerva Labs www.minerva-labs.com
You can see the effects of RocProtect by running the Pafish demo tool.
Copyright © 2017 Minerva Labs www.minerva-labs.com
Another proof-of-concept tool is rapid_env by Adam Kramer.
• Allows users to specify a configuration file for creating
specific artifacts on the system.
• It can generate designated files, registry keys,
processes and mutex objects.
11/15/2017
13
Copyright © 2017 Minerva Labs www.minerva-labs.com
For additional experimentation, look at Gal Bitensky’s “anti-honeypot” scripts.
Copyright © 2017 Minerva Labs www.minerva-labs.com
Manipulating the perception of malware can also be used to vaccinate endpoints.
• Malicious programs often create an infection marker to avoid infecting the system more than once.
• This avoids operational and stability problems.
• Such malware will not infect the endpoint if it locates its infection marker.
• In other words, we can use an infection marker to scare malware away.
11/15/2017
14
Copyright © 2017 Minerva Labs www.minerva-labs.com
For example, the WannaCry worm used a mutex object as an infection marker.
Minerva’s free Vaccinator tool generates this artifact to inoculate systems against this malware.
Copyright © 2017 Minerva Labs www.minerva-labs.com
Some infection markers are not static, and have to be generated on the fly.
For instance, Spora ransomware generated its mutex name based on the disk volume serial number.
11/15/2017
15
Copyright © 2017 Minerva Labs www.minerva-labs.com
Beyond proof-of-concept tools, deceiving malware in the real world is challenging.
• Actually generating artifacts leads to cluttering
endpoints with files, processes, registry keys, etc.
• Resource utilization and performance are critical.
• Anti-malware tools might react to infection markers.
• You need to avoid breaking production applications.
• Enterprises require centralized management.
Thinking Beyond Detection-Based Approaches
11/15/2017
16
Copyright © 2017 Minerva Labs www.minerva-labs.com
There is a way to use evasive capabilities of malware against attackers.
• Cause malware to disarm itself by deceiving it about the results of its queries and actions.
• Create an environment that represents the greatest fears of malicious programs.
• Persuade malware that the system is already infected.
• Look for other ways to control malware without attempting to identify and disable it.
Copyright © 2017 Minerva Labs www.minerva-labs.com
“Hacking” malware like this blocks threats designed to bypass existing defenses.
• This approach creates a strong complement to
existing anti-malware solutions.
• Force malware authors to pick their poison when
designing malicious software.
• Proof-of-concept tools help with experimentation.
• Production deployment requires enterprise products
11/15/2017
17
Copyright © 2017 Minerva Labs www.minerva-labs.com
Keep learning about fighting malware.
• Follow-Up: [email protected]
• Research: minerva-labs.com/blog
• Twitter: @MinervaLabs