McAfee Confidential

.

Rahul Mohandas | Intel Security

Ravi Sahita | Intel Labs

Detecting Evasive Malware in the Sandbox—The Latest from McAfee and Intel Labs

McAfee Confidential

.

Speakers

2

Rahul MohandasResearch Manager

Intel Security

Ravi SahitaPrincipal Engineer

Intel Labs

McAfee Confidential

.

Agenda

• Evolution of Targeted Malware Attacks and Defenses

• Sandboxing Challenges

• McAfee Advanced Threat Defense Technology

• Use Cases: Sandbox Evasion

• Platform Opportunities

• Summary

3

McAfee, and the McAfee logo are registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2014 McAfee, Inc.

McAfee Confidential

.

How did we get here?

Evolution of Malware Attacks and Defenses

4

A large number of enterprises had breaches over the past year.

What can be done to better protect the network against these

cyberthreats?

Reactive

• md5/URL blacklists

Proactive

• Heuristics/ protocol analysis

Predictive

• Static/ behavioral and predictive analytics

• Malware attribution

Evolution of defenses shown as

Attack [Defense]

McAfee Confidential

.

State of Targeted Attacks

5

Intel & McAfee Confidential

2010 2011 2012 2013 2014

Duqu

Flame

Gauss

Mahdi

VOHO

Shamoon

01-SEP-2011

02-MAY-2012

01-JUN-2012

JUL-2012

15-AUG-2012

Beebus

Ladyboyle

MiniDuke

RSA hackMAR-2011

FEB-2013

Naikon

NetTraveler

JUN--2013

SAFE

SunShop

MAY--2013

30-MAY--2012

Gotham

ZEGOSTAPR-2013

DeputyDog19-AUG-2013

EvilGrab

IceFog

Kimsuky

Guodl

Taidoor

The3bug

Web2Crew

DEC-2012

Project Blitzkrieg

Shiqiang

APR-2014

QuarianOCT-2013

Havex

PittytigerJuly-2014

Intel Confidential -- Internal Use Only

Quarian v2

AUG-2014

McAfee Confidential

.

Sandboxing Challenges

6

• Hook-detection/skipping.

• Self/VM fingerprinting.

• System tampering.

• Interaction-based.

• Latent behavior.

• Timing analysis.

• And so on …

Evasion

McAfee Confidential

.

7

Advanced Threat Defense TechnologySandboxing approach and future challenges

McAfee Confidential

.

McAfee Advanced Threat Defense

• Using static and dynamically derived program behavior.

• Provides advanced sandboxing capabilities:

• Virtual CPUs.

• Anti-anti-debugging.

• Need to unpack to get to original executable code for analysis:

• Detect variants.

• Understand potential paths.

• Provide unpacked code for further analysis.

8

VM 1 VM 2 VM N

Sample Sample Sample

VM1 VM2 VM N

VMM

McAfee Confidential

.

Dynamic and Static Code Analysis

9

Analyze

Static AnalysisDynamic Analysis

Analyze

Unpacking

Disassembly of Code

Calculate Latent Code

Familial Resemblance

Runtime DLLs

Network Operations

File Operations

Process Operations

Delayed Execution

McAfee Confidential

.

Sandbox Evasion

10

• Use assembly code to bypass hooks:

• Replace sleep() with an induced delay loop.

• Bypasses sandboxes that have default analysis timeouts.

• Family classification to the rescue.

Advanced: inline assembly

McAfee Confidential

.

11

Sandbox Evasion: Inline Assembly

McAfee Confidential

.

12

McAfee Confidential

.

Quarian Evolution: Timeline

13

Sample: ce1efSimilarity: 97%

Prototype AddedSimilarity: 100%

Sample: 1d6b587Similarity: 83.54%

Sample: c0e5746dd

Similarity: 68.09%

Sample: 93807cff6

Similarity: 68.18%

Dec ’11

March ’12

Jan ’12

August ’13

July ’12

March ’14

Sample: f3862

Similarity: 66.72%

McAfee Confidential

.

Sandbox Evasion

14

• APT actor active since 2011.

• Checks presence of registry key, exits if not found.

• Evades all known sandboxes relying on behavior only.

• Detected by McAfee® Advanced Threat Defense using static code analysis.

Quarian: AppId Check

McAfee Confidential

.

15

Quarian Evolution: Static Code Analysis

McAfee Confidential

.

16

Platform OpportunitiesImproving malware analysis

McAfee Confidential

.

Improving Malware Sandbox: Goals

17

VMM

VM1

Enhance Instrumentation to Observe

Zero-Day/Obfuscated Behavior.

VM 2 VM n • Memory access and execution analysis.

• Kernel/user rootkit-like behavior.

• API, control flow attacks.

• Unpacking, de-obfuscating code.

… without impacting analysis throughput

Intel CPUs

McAfee Confidential

.

CPU extended page tables (EPTs) as memory monitoring domains

OS-Independent Behavioral Memory Monitoring

18

CPU0

Hypervisor

Intel® VT-x with EPT

VM0

Extended Page Table

(EPT) Domains

EPT

Walker

Execution Crossing

EPT Domains or Data

Accesses Cause Events.host physical

address

Intel® Virtualization Technology for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x)

Application

Code/Data

(RX/RW)

DLL

Code (RX)

DLL

Code (RO)

Application

Code/Data

(RO/NP)

Data

(RW)

Data

(NP)

• Observe read, write, or execution

from memory.

• Critical data structure tracking.

• Critical API execution tracking

without circumvention.

McAfee Confidential

.

Addressing Technical Challenges

• Factors limiting memory monitoring:

• Hardware context-switch time.

• Filtering uninteresting events with minimal overhead:

• Monitoring data accesses requires filtering due to 4,000 page sharing.

• Analyzing execution patterns:

• Without requiring single-stepping of all execution.

19

McAfee Confidential

.

Minimize exposure of VMM to reduce malware evasion opportunities

Hardware-Accelerated Behavioral Memory Analysis

20

CPU0

Hypervisor

Intel® VT-x with EPT

VM0

Extended

Page Tables

EPT

Walker

Report EPT violations via #VE.EPTP list is indexed

by VMFUNC.

Intel® Virtualization Technology for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x)

• VM Function (VMFUNC) to switch EPTs or

memory views without VMExits.

• Virtualization Exceptions (#VE) to directly

notify guest of EPT access violations

without VMExits.

Memory

View 1

Memory

View 2

VMFUNC

#VE

Physical pages

McAfee Confidential

.

Accelerating Behavior-Induced Events

21

• Behavioral memory monitoring policies setup

via EPT domains.

• VMM opts in to convert induced EPT violation

(observed events) to #VE.

• Monitoring software can use VMFUNC to

switch views in order to analyze memory

accesses and continue sandboxed execution.

VMM

VM Sandbox

EPT Domains

Monitoring

Service

Monitored

App

1. Handle #VE

3. Complete analysis

WRITE

Access

Policy#VE

#VE info

EPT Domains

Intel CPUs

VMFUNC

VMFUNC

2. Set up single

step or emulate

McAfee Confidential

.

Hardware Extensions for Improving Malware Sandbox

22

VMMw/ Introspection Extensions

Intel CPUs

Windows/

Android VM1

Enhanced Instrumentation to Observe

Zero-Day/Obfuscated Behavior• Memory access and execution analysis.

• Kernel/user rootkit behavior.

• API, control flow attacks.

• Unpacking, de-obfuscating code.Sandboxing

Engine

Memory

Views

Processor Features Pass-Through

Enhanced Sandboxing

VM 2 VM n

- VMFUNC (low latency memory view switching).

- Virtualization Exceptions (low latency memory monitoring).

- …

CPU Extensions

Memory

Views

Sandboxing

Engine

Sandboxing

Engine

McAfee Confidential

.

Malware

OSVM Tools

Monitored API

Addressing Evasion Challenges

23

Intel CPUs

Capabilites that can be enabled via

hardware-enhanced introspection and family

classification:

1. Hook-detection/skip avoidance.

2. Fingerprinting mitigation.

3. Kernel tamper detection.

4. User detection.

5. Latent behavior detection.

6. Timing virtualization.

1

32

4

VMM

6

Microsoft

Windows/

Android VM1

5

McAfee Confidential

.

24

Looking AheadConcluding thoughts

McAfee Confidential

.

Future Directions and Research

• Finer-grain memory monitoring CPU primitives.

• Processor capabilities to detect/prevent malicious behavior via strong control-flow tracking.

• Machine-learning techniques to automate deeper analysis.

• Human interactivity modeling to expose latent code.

• Exploration of native hardware sandbox to reduce malware evasion opportunities.

25

McAfee Confidential

.

Conclusion

• Combination of behavior and family classification addresses gaps to

detect advanced malware.

• Hardware and software co-design to stay ahead of malware

approaches.

• Evolving the McAfee Advanced Threat Defense platform:

• Software improvements via open hypervisors.

• Hardware-based differentiation to improve analysis.

• Ongoing research to stay ahead of evasion techniques.

26

McAfee Confidential

.

27

Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered

trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of

others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are

provided without warranty of any kind, express or implied. Copyright © 2014 McAfee, Inc.