Cloud

9/7/2017
10:30 AM
Paul Shomo
Paul Shomo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Sandbox-Aware Malware Foreshadows Potential Attacks

For the continuous monitoring industry to remain relevant, it needs to match the vigor of sandbox vendors against targeted subversion.

Sandboxes monitor behaviors to detect new strains of malware without prior knowledge of its existence. This has cemented sandboxing as a pillar of modern cybersecurity. It's also spurred a decade-long arms race with "sandbox–aware" malware that hides these behaviors. Should we expect a repeat of this arms race in the continuous monitoring space?

Many similarities exist between the observational techniques of sandboxes and continuous monitoring (CM). While sandboxes typically exist in the cloud or on central appliances, CM agents deliver this monitoring on endpoints. They hook into the operating system to observe things such as process creation, file and registry changes, and network communications. Patterns in these activities detect behaviors indicative of malware.

To predict hackers' future reaction to CM, I examined the history of sandbox-aware malware. I spoke with Christopher Kruegel, CEO of Lastline, about detecting these countermeasures. Lastline offers a platform to detect advanced persistent threats (APTs), zero-day exploits, and evasive malware. Our conversation guided my research for this article.

Countermeasures to Detect Sandbox Environments
If malware engages in malicious behavior inside the sandbox, the game is up. Hackers know this. Thus, crimeware may perform "environment scans" to determine if a sandbox is present.

Most sandboxes consist of virtual machines pre-installed with instrumentation to observe behaviors. Sandbox-aware malware may scan the file system, study OS services, or examine open ports. It may also look for DLLs or registry keys indicating a virtual environment. In recent years, Trojan.APT.BaneChan has even looked for signs a human user is present. Sandbox vendors have responded by threat scoring a potential sample if it performs these environmental scans. One could easily see this same cat and mouse with malware looking for CM agents.

Some companies have designed their architectures to rise above this arms race. Instead of using a virtual machine, Lastline built an emulator to intercept CPU instructions. As CEO Christopher Kruegel explains, "[emulation] looks at everything the program does. Not just when it calls the operating system, but all the parts between. Examining when it processes data, makes decisions, and when it goes through the instructions of the program."

While emulation is helpful, no architecture is foolproof. Researchers have suggested countermeasures that detect "emulation gaps" by including obscure machine instructions not supported by emulators. These calls would fail and thus signal the presence of emulation. Here begins another arms race to insert exotic CPU commands into malware, and for vendors to judge if they're countermeasures.

Efforts to Suppress Malicious Behavior
Sandboxes need to observe malware behavior over time. The first volleys in this battle were time-based attacks. Typically these attacks sleep or perform only benign activities until the examination times out. CM agents never stop observing, so here they have an advantage over sandboxes.

Behavioral observation is implemented by hooking into system calls. Cyber weapons may remove hooks or operate before the hook and not allow the sandbox's code to execute and record activity. These strategies could work against a CM agent's similar hooking strategy.

Coaxing out suppressed behaviors can be difficult. Western intelligence agencies built Stuxnet to target Iranian reactors. Unless Stuxnet sees certain control system components, it exhibits only benign behavior. Continuous monitoring, existing on the targeted endpoint, has an advantage here.

This is also where the emulated sandbox approach shines. If only 5% of the code runs inside Stuxnet, Lastline's emulator can force the CPU to execute additional code branches. After all of the behaviors manifest, the malware can finally be threat scored.

Overt Acts of Subversion
While a crashed sandbox could pique the interest of an analyst, hackers hope it forces them to give up on analyzing a sample. Target-built malware can purposely crash when run where it doesn't belong. It can call libraries designed to crash sandboxes not equipped with capabilities such as 3-D modeling. Crashing endpoints where CM agents exist could be an option but disables the endpoints a hacker is using to advance their breach.

For CM vendors to remain relevant long term, they'll need to match the vigor of sandbox vendors against targeted subversion. Security architects should prepare by employing a defense-in-depth approach. This assumes any detection technology could fail, and layers many of them. Use sandboxes and CM, but don't forget to pick up the forensic residue of malicious behaviors on endpoints. Forensic artifacts are tough to hide, and deleting them leaves alarming evidence of "anti-forensics."

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Paul Shomo is a senior technical manager for third party technologies at OpenText. A veteran of cybersecurity, Paul Shomo has spent more than 15 years as a software engineer with experience working in security and forensics, networking, and storage. Paul has spent several ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0218
PUBLISHED: 2019-04-22
A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.
CVE-2019-11383
PUBLISHED: 2019-04-22
An issue was discovered in the Medha WiFi FTP Server application 1.8.3 for Android. An attacker can read the username/password of a valid user via /data/data/com.medhaapps.wififtpserver/shared_prefs/com.medhaapps.wififtpserver_preferences.xml
CVE-2019-11459
PUBLISHED: 2019-04-22
The tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend in GNOME Evince through 3.32.0 did not handle errors from TIFFReadRGBAImageOriented(), leading to uninitialized memory use when processing certain TIFF image files.
CVE-2019-11460
PUBLISHED: 2019-04-22
An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to 3.30.2.2, and 3.32 prior to 3.32.1.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's control...
CVE-2019-8452
PUBLISHED: 2019-04-22
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security client for Windows before E80.96 to any file on the system will get its permission changed so that all users can access that linked file. Doing this on files with limited access gains t...