Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/7/2017
10:30 AM
Paul Shomo
Paul Shomo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Sandbox-Aware Malware Foreshadows Potential Attacks

For the continuous monitoring industry to remain relevant, it needs to match the vigor of sandbox vendors against targeted subversion.

Sandboxes monitor behaviors to detect new strains of malware without prior knowledge of its existence. This has cemented sandboxing as a pillar of modern cybersecurity. It's also spurred a decade-long arms race with "sandbox–aware" malware that hides these behaviors. Should we expect a repeat of this arms race in the continuous monitoring space?

Many similarities exist between the observational techniques of sandboxes and continuous monitoring (CM). While sandboxes typically exist in the cloud or on central appliances, CM agents deliver this monitoring on endpoints. They hook into the operating system to observe things such as process creation, file and registry changes, and network communications. Patterns in these activities detect behaviors indicative of malware.

To predict hackers' future reaction to CM, I examined the history of sandbox-aware malware. I spoke with Christopher Kruegel, CEO of Lastline, about detecting these countermeasures. Lastline offers a platform to detect advanced persistent threats (APTs), zero-day exploits, and evasive malware. Our conversation guided my research for this article.

Countermeasures to Detect Sandbox Environments
If malware engages in malicious behavior inside the sandbox, the game is up. Hackers know this. Thus, crimeware may perform "environment scans" to determine if a sandbox is present.

Most sandboxes consist of virtual machines pre-installed with instrumentation to observe behaviors. Sandbox-aware malware may scan the file system, study OS services, or examine open ports. It may also look for DLLs or registry keys indicating a virtual environment. In recent years, Trojan.APT.BaneChan has even looked for signs a human user is present. Sandbox vendors have responded by threat scoring a potential sample if it performs these environmental scans. One could easily see this same cat and mouse with malware looking for CM agents.

Some companies have designed their architectures to rise above this arms race. Instead of using a virtual machine, Lastline built an emulator to intercept CPU instructions. As CEO Christopher Kruegel explains, "[emulation] looks at everything the program does. Not just when it calls the operating system, but all the parts between. Examining when it processes data, makes decisions, and when it goes through the instructions of the program."

While emulation is helpful, no architecture is foolproof. Researchers have suggested countermeasures that detect "emulation gaps" by including obscure machine instructions not supported by emulators. These calls would fail and thus signal the presence of emulation. Here begins another arms race to insert exotic CPU commands into malware, and for vendors to judge if they're countermeasures.

Efforts to Suppress Malicious Behavior
Sandboxes need to observe malware behavior over time. The first volleys in this battle were time-based attacks. Typically these attacks sleep or perform only benign activities until the examination times out. CM agents never stop observing, so here they have an advantage over sandboxes.

Behavioral observation is implemented by hooking into system calls. Cyber weapons may remove hooks or operate before the hook and not allow the sandbox's code to execute and record activity. These strategies could work against a CM agent's similar hooking strategy.

Coaxing out suppressed behaviors can be difficult. Western intelligence agencies built Stuxnet to target Iranian reactors. Unless Stuxnet sees certain control system components, it exhibits only benign behavior. Continuous monitoring, existing on the targeted endpoint, has an advantage here.

This is also where the emulated sandbox approach shines. If only 5% of the code runs inside Stuxnet, Lastline's emulator can force the CPU to execute additional code branches. After all of the behaviors manifest, the malware can finally be threat scored.

Overt Acts of Subversion
While a crashed sandbox could pique the interest of an analyst, hackers hope it forces them to give up on analyzing a sample. Target-built malware can purposely crash when run where it doesn't belong. It can call libraries designed to crash sandboxes not equipped with capabilities such as 3-D modeling. Crashing endpoints where CM agents exist could be an option but disables the endpoints a hacker is using to advance their breach.

For CM vendors to remain relevant long term, they'll need to match the vigor of sandbox vendors against targeted subversion. Security architects should prepare by employing a defense-in-depth approach. This assumes any detection technology could fail, and layers many of them. Use sandboxes and CM, but don't forget to pick up the forensic residue of malicious behaviors on endpoints. Forensic artifacts are tough to hide, and deleting them leaves alarming evidence of "anti-forensics."

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Prior to becoming an independent analyst, Paul Shomo was one of the engineering and product leaders behind the forensics software EnCase. In addition to his work in the digital forensics and incident response (DFIR) space, he developed code for OSes that power many of today's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15073
PUBLISHED: 2019-11-20
An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15072
PUBLISHED: 2019-11-20
The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15071
PUBLISHED: 2019-11-20
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail syste...
CVE-2019-6176
PUBLISHED: 2019-11-20
A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.
CVE-2019-6184
PUBLISHED: 2019-11-20
A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation.