Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/7/2017
10:30 AM
Paul Shomo
Paul Shomo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Sandbox-Aware Malware Foreshadows Potential Attacks

For the continuous monitoring industry to remain relevant, it needs to match the vigor of sandbox vendors against targeted subversion.

Sandboxes monitor behaviors to detect new strains of malware without prior knowledge of its existence. This has cemented sandboxing as a pillar of modern cybersecurity. It's also spurred a decade-long arms race with "sandbox–aware" malware that hides these behaviors. Should we expect a repeat of this arms race in the continuous monitoring space?

Many similarities exist between the observational techniques of sandboxes and continuous monitoring (CM). While sandboxes typically exist in the cloud or on central appliances, CM agents deliver this monitoring on endpoints. They hook into the operating system to observe things such as process creation, file and registry changes, and network communications. Patterns in these activities detect behaviors indicative of malware.

To predict hackers' future reaction to CM, I examined the history of sandbox-aware malware. I spoke with Christopher Kruegel, CEO of Lastline, about detecting these countermeasures. Lastline offers a platform to detect advanced persistent threats (APTs), zero-day exploits, and evasive malware. Our conversation guided my research for this article.

Countermeasures to Detect Sandbox Environments
If malware engages in malicious behavior inside the sandbox, the game is up. Hackers know this. Thus, crimeware may perform "environment scans" to determine if a sandbox is present.

Most sandboxes consist of virtual machines pre-installed with instrumentation to observe behaviors. Sandbox-aware malware may scan the file system, study OS services, or examine open ports. It may also look for DLLs or registry keys indicating a virtual environment. In recent years, Trojan.APT.BaneChan has even looked for signs a human user is present. Sandbox vendors have responded by threat scoring a potential sample if it performs these environmental scans. One could easily see this same cat and mouse with malware looking for CM agents.

Some companies have designed their architectures to rise above this arms race. Instead of using a virtual machine, Lastline built an emulator to intercept CPU instructions. As CEO Christopher Kruegel explains, "[emulation] looks at everything the program does. Not just when it calls the operating system, but all the parts between. Examining when it processes data, makes decisions, and when it goes through the instructions of the program."

While emulation is helpful, no architecture is foolproof. Researchers have suggested countermeasures that detect "emulation gaps" by including obscure machine instructions not supported by emulators. These calls would fail and thus signal the presence of emulation. Here begins another arms race to insert exotic CPU commands into malware, and for vendors to judge if they're countermeasures.

Efforts to Suppress Malicious Behavior
Sandboxes need to observe malware behavior over time. The first volleys in this battle were time-based attacks. Typically these attacks sleep or perform only benign activities until the examination times out. CM agents never stop observing, so here they have an advantage over sandboxes.

Behavioral observation is implemented by hooking into system calls. Cyber weapons may remove hooks or operate before the hook and not allow the sandbox's code to execute and record activity. These strategies could work against a CM agent's similar hooking strategy.

Coaxing out suppressed behaviors can be difficult. Western intelligence agencies built Stuxnet to target Iranian reactors. Unless Stuxnet sees certain control system components, it exhibits only benign behavior. Continuous monitoring, existing on the targeted endpoint, has an advantage here.

This is also where the emulated sandbox approach shines. If only 5% of the code runs inside Stuxnet, Lastline's emulator can force the CPU to execute additional code branches. After all of the behaviors manifest, the malware can finally be threat scored.

Overt Acts of Subversion
While a crashed sandbox could pique the interest of an analyst, hackers hope it forces them to give up on analyzing a sample. Target-built malware can purposely crash when run where it doesn't belong. It can call libraries designed to crash sandboxes not equipped with capabilities such as 3-D modeling. Crashing endpoints where CM agents exist could be an option but disables the endpoints a hacker is using to advance their breach.

For CM vendors to remain relevant long term, they'll need to match the vigor of sandbox vendors against targeted subversion. Security architects should prepare by employing a defense-in-depth approach. This assumes any detection technology could fail, and layers many of them. Use sandboxes and CM, but don't forget to pick up the forensic residue of malicious behaviors on endpoints. Forensic artifacts are tough to hide, and deleting them leaves alarming evidence of "anti-forensics."

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Prior to becoming an independent analyst, Paul Shomo was one of the engineering and product leaders behind the forensics software EnCase. In addition to his work in the digital forensics and incident response (DFIR) space, he developed code for OSes that power many of today's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...