35
Malware Analysis with Sandbox email: [email protected] LinkedIn: https://ua.linkedin.com/in/alexanderadamov

Sandbox kiev

Embed Size (px)

Citation preview

Page 1: Sandbox kiev

Malware Analysis with Sandbox

email: [email protected]

LinkedIn: https://ua.linkedin.com/in/alexanderadamov

Page 2: Sandbox kiev

About Author

Alexander Adamov is a malware researcher and a security trainer with over nine years’ experience in the antivirus industry working for Kaspersky Lab and Lavasoft.

Alexander is a university lecturer who develops new courses for EU universities and gives lectures and trainings in network security, reverse engineering, and malware analysis at the same time.

At present he is running Cloud Sandbox startup.

Page 3: Sandbox kiev

Outline

1) Use Cases2) Sandbox Intro3) Sandbox Report4) Features5) Web Interface6) Incident Response and Data Flow7) Technical Requirements8) Demo9) Conclusions

Page 4: Sandbox kiev

USE CASES

Page 5: Sandbox kiev

Case 1: APT “CosmicDuke” AnalysisAPT* “CosmicDuke/MiniDuke” – July 2014The malware can steal a variety of information, including files based on extensions and file name keywords:

*.exe;*.ndb;*.mp3;*.avi;*.rar;*.docx;*.url;*.xlsx;*.pptx;*.ppsx;*.pst;*.ost;*psw*;*pass*;*login*;*admin*;*sifr*;*sifer*;*vpn;*.jpg;*.txt;*.lnk; *.dll;*.tmp;*.obj;*.ocx;*.js

Also, the backdoor has many other capabilities including:– Keylogger– Skype password stealer– General network information harvester– Screen grabber (grabs images every 5 minutes)– Clipboard grabber (grabs clipboard contents every 30 seconds)– Microsoft Outlook, Windows Address Book stealer– Google Chrome password stealer– Google Talk password stealer– Opera password stealer– TheBat! password stealer– Firefox, Thunderbird password stealer– Drives/location/locale/installed software harvester– WiFi network/adapter information harvester– LSA secrets harvester– Protected Storage secrets harvester– Certificate/private keys exporter– URL History harvester– InteliForms secrets harvester– IE Autocomplete, Outlook Express secrets harvester– and more...

Page 6: Sandbox kiev

Example: “CosmicDuke” Builds

• 7 builds per day in average

• Spoofs legitimate Apps

• Uses polymorphic encryption by UPolyXv05_v6 to harden AV detection.

Page 7: Sandbox kiev

Example: “CosmicDuke” Victims

The victims of “CosmicDuke” fall into these categories:

• government

• diplomatic

• energy

• telecom operators

• military, including military contractors

• individuals involved in the traffic and selling of illegal and controlled

substances

Page 8: Sandbox kiev

Analysis in Sandbox

Old CosmicDuke 2013 Report: https://www.dropbox.com/s/avxyrtcdkqtaqfq/report_edf7a81dab0bf0520bfb8204a010b730.htm?dl=0

New CosmicDuke 2014:• NVIDIA WLMerger App Report: https://www.dropbox.com/s/41t111saz3jy5yl/report_1276d0aa5ad16fb57426be3050a9bb0b.htm?dl=0

• Adobe Acrobat Updater Report: https://www.dropbox.com/s/kvmp6rrc8f43s5t/report_d92faef56fa25120cb092f1b69838731.htm?dl=0

12 minutes

Page 9: Sandbox kiev

Case 2: APT “Epic Turla” Attack

The attackers behind Epic Turla have infected several hundreds computers in more than 45 countries, including:

• government institutions,

• embassies,

• military,

• education,

• research and pharmaceutical companies.

“Epic Turla” – is a massive cyber-espionage operation.

Page 10: Sandbox kiev

Type of “Epic Turla” Attacks

• Spearphishing e-mails with Adobe PDF exploits (CVE-2013-3346 + CVE-2013-5065)

• Social engineering to trick the user into running malware installers with ".SCR" extension, sometimes packed with RAR

• Watering hole attacks using Java exploits (CVE-2012-1723), Flash exploits (unknown) or Internet Explorer 6,7,8 exploits (unknown)

• Watering hole attacks that rely on social engineering to trick the user into running fake "Flash Player" malware installers.

Watering Hole example:

Infected Palestinian

Authority Ministry of

Foreign Affairs

The attacks in this campaign fall into several different categories depending on the vector used in the initial compromise:

Page 11: Sandbox kiev

Analysis in Sandbox

• Adobe PDF Exploits (Note_№107-41D.pdf CVE-2013-5065)Report: https://www.dropbox.com/s/6l25orn9nlgl6ea/report_6776bda19a3a8ed4c2870c34279dbaa9.htm

– Dropped file (Epic/Tavdig/Wipbot backdoor):

Report: https://www.dropbox.com/s/lqw3vvzeudyt4kq/report_111ed2f02d8af54d0b982d8c9dd4932e.htm

• Spearphishing files: – NATO position on Syria.scr

https://www.dropbox.com/s/6powxf2vo4y3fjp/4d667af648047f2bd24511ef8f36c9cc_report.htm

• Dropped Epic/Tavdig/Wipbot backdoor: https://www.dropbox.com/s/citfclr08eul04x/report_ab686acde338c67bec8ab42519714273.htm

• Turla Carbon packageReport: https://www.dropbox.com/s/rivavmk8w2d56io/report_cb1b68d9971c2353c2d6a8119c49b51f.htm

20 minutes

Page 12: Sandbox kiev

Similar Solutions on the Market

• Norman G2 Analyzer

• ThreatAnalyzer (former GFI Sandbox, CWSandbox )

• Cuckoo Sandbox

• VirusTotal online service

• FireEye MAS

• AlienVault Reputation Monitor

• Kaspersky Application Advisor (Beta)

Page 13: Sandbox kiev

SANDBOX REPORT

Page 14: Sandbox kiev

A Comparison of Sandbox Reports - 1

Data Type Cuckoo Sandbox

Norman G2 MalwareAnalyzer

GFI/ ThreatTrack Sandbox

VirusTotal ==SitC==

Summary/File Details

YES YES YES YES YES

Static Analysis

Dropped from no no no no YES

Downloaded by no no no no YES

Polymorphic no no no no YES

PE Sections no no no YES YES

VersionInfo no no no YES YES

Page 15: Sandbox kiev

A Comparison of Sandbox Reports - 2

Dynamic Analysis Cuckoo

Sandbox

Norman G2

MalwareAnaly

zer

GFI/

ThreatTrack

Sandbox

VirusTotal ==SitC==

Payload=Behavior class no no no no YES

Process activities YES YES YES YES YES

File Activities YES YES YES no YES

Registry activity YES YES YES no YES

Rootkit activity no no no no YES

Dropped PE Files YES no no no YES

HOSTS file anomalies no no no no YES

Propagation no no no no YES

Named Objects (Mutexes,

Events)

YES YES YES YES YES

Page 16: Sandbox kiev

A Comparison of Sandbox Reports - 3

Network

Activities

Cuckoo

Sandbox

Norman G2

MalwareAnaly

zer

GFI/

ThreatTrack

Sandbox

VirusTotal ==SitC==

URLs/DNS YES YES YES YES YES

IDS Verdicts no no no YES YES

Traffic no YES YES YES YES

Detections

Virus Total no YES YES YES YES

Internal Verdicts - YES YES YES YES

Yara YES no no YES YES

Threat Type no no YES no YES

Behavior class no no YES no YES

Danger level no YES YES no no

Page 17: Sandbox kiev

A Comparison of Sandbox Reports - 4Others Cuckoo

Sandbox

Norman G2

MalwareAnaly

zer

GFI/

ThreatTrack

Sandbox

VirusTotal ==SitC==

Screenshot YES YES YES no YES

Map no no no no YES

Strings from

dumps

no no no no YES

Removal

Instructions

no no no no YES

Architecture

Sandbox

Hypervisor Type

Ubuntu/Virtual

Box

IntelliVM - - VMWare

ESX/Workstation

Scalability no YES YES YES YES

Custom sandbox

instances

YES YES YES - YES

Page 18: Sandbox kiev

A Comparison of Sandbox Reports - 5User Interface Cuckoo

Sandbox

Norman G2

MalwareAnaly

zer

GFI/

ThreatTrack

Sandbox

VirusTotal ==SitC==

UI Type Console

(Python

scripts)

Web Web Web Web

Dashboard No YES YES No No

Queue Manager No YES YES No YES

Report Type HTML PDF PDF Web report HTML/ PDF/Blog

Sales Freeware Direct Direct Direct -

Total number of

“YES”10 15 17 12 30

Page 19: Sandbox kiev

More Report Examples

https://www.dropbox.com/s/kh7dm8rngokd2f6/7a500c46d62f6f39e4bb2716a323bc34_report.htm

https://www.dropbox.com/s/rz7vzueqyxy53hy/e046da1b39202825155947371254a4e6_report.htm

https://www.dropbox.com/s/cl5h1fi91dkbt0d/e76d42578057862b5823ac926304cc22_report.htm

Page 20: Sandbox kiev

VMRay AnalyzerSource: http://www.vmray.com/vmray-analyzer-features/

Covers all kind of behavior• All kind of low-level control flow (API function calls, system calls, interrupts, APCs, DPCs, ..)

• All kind of high-level semantics (filesystem, registry, network, user/group administration, ..)

• Monitors user- and kernel-mode code

• All process creation, code injection, and driver installation methods are tracked and detected

• Layer7 protocols (HTTP, FTP, IRC, SMTP, DNS, …) are identified and parsed

Comprehensive Data Collection• Enriched output with function prototype information, geoip lookup information, and process dependency

graphs

• Takes screenshots from running execution

• Monitors network traffic and stores PCAP files

• Detects and stores all files that are generated or modified by the malware

Page 21: Sandbox kiev

VMRay Analyzer

Process dependency graphs

Page 22: Sandbox kiev

LastLine

Source: http://advancedmalware.lastline.com/discovery-report-for-2/21/2015-to-2/27/2015

Lastline Malware Risk Assessment

Page 23: Sandbox kiev

Sandbox Intro

• Sandbox in-the-cloud (SitC) – is a new malware analysis system in the cloud for IS professionals and advanced users.

• It allows to get a comprehensive analysis report in 4-5 minutes.

Page 24: Sandbox kiev

Integration to ISP Infrastructure

Page 25: Sandbox kiev

SANDBOX FEATURES

Page 26: Sandbox kiev

Sandbox Features

• Get analysis report/verdict by hash/file.• Searching and tracking for analyzed malware

samples.• Custom Yara rules are supported.• Analysis time ~4 min.• Scalable architecture (no limits in number of

processing samples) under VMWare ESX.• Web interface• >5000 analyzed samples on 8 CPU cores (iCore7)

daily.

Page 27: Sandbox kiev

Yara Rules are Supported

• Add your own signature to detect files/memory dumps/traffic:

Page 28: Sandbox kiev

SANDBOX INTERFACE

Page 29: Sandbox kiev

Web Interface

• Search by MD5

• Manual upload sample via the web form (high priority)

• Stream analysis (low priority)

• Advanced search in Sandbox database by timeframe, verdicts, Yara rule, etc.

• Report (HTML, PDF) can be sent by email.

Page 30: Sandbox kiev

INCIDENT RESPONSE AND DATA FLOW

Page 31: Sandbox kiev

Incident Response with SitC

Detection

Investigation

Analysis

Remediation

Prevention

Unknown threats can be sent for analysis to SitC as files or metadata when entering a trust perimeter.

SitC can assign a severity level for a submitted threat, so the most critical ones will go to IRT immediately.

Malware analysis takes ~4 mins.

All malicious activities are presented in the SitC report, as well as removal recommendations. The removal script or tool can be generated in advance.

SitC report contains information about propagation which helps understanding an attack vector.

Page 32: Sandbox kiev

Operational Modes

1. On-Demand Analysis (High Priority)– The user submits an object (file/traffic) via Web page which will be analyzed and

kept on the storage.– The report will be generated and sent to a user’s email.– The user can choose type of a virtual machine (pre-defined) to be used for the

analysis when submitting an object.

2. Stream Analysis (Low Priority)– The input object (file/traffic) can be also copied to the sandbox incoming folder

and will be processed in automated way with low priority.– The user can get access to the analysis data saved on the storage to do extra

analysis.– The user can search for already analyzed object by MD5 hash via Web page to get

HTML report.

3. Sandbox Configuration– The user can insert new Yara rules via Web page to detect files/dumps/traffic.

Page 33: Sandbox kiev

Technical Requirements for SitC Deployment

• VMWare ESXi Server 5.1 (free use up to 32 GB RAM):

• 8 CPU cores

• 16 Gb RAM

• 4 Tb low speed HDD and 2 x SSD 120 GB

• Internet access (so malware can connect to remote servers and download updates)

• Incoming traffic (PE files, PCAP dumps) to the Sandbox

• Remote access via vSphere to setup and control Sandbox

• Sandbox server should be well isolated inside the local network to prevent unsolicited malware spreading.

Page 34: Sandbox kiev

DEMO

• Cloud Sandbox Video – 2:38

Page 35: Sandbox kiev

Conclusions

1) SitC can be potentially used for:• Analysis and detection of malicious or suspicious files.

• Analysis and detection of network traffic (PCAP).

• Triggering for custom Indicators-of-Compromise (IoCs) using Yara.

• Finding 0-day cyber attacks and APT (via traffic analysis).

• Discovering infected hosts by malicious traffic (connections to C&C servers).

2) SitC prototype has the most comprehensive malware analysis report in the industry and we want to test it in real life environment.