BSides DC 2015 – An Adversarial View of SaaS Malware Sandboxes

good afternoon so I hope you are talking editor of view of our staff members ten boxes to go are we so Monica Jaison throws begin for research and for upstream Orton security for more than the past ten years here’s a few twists air works india he moves out in Game adversity my background is mainly for data analytics security research associate and I marinche are from sir to creating this is a little better so when we were doing this our motivation was we kept hearing a lot of different things about malware and I’ll sandbox don’t work we heard that earlier today in this room actually so we don’t have to take a look at some of those things one of those is that 80’s that we want to see well what happens with a what happens ways submit a sample to a whole bunch of these different maybe that is what goes over there we also put yours tower biggest minutes several spin to the sandbox isn’t data that is generated from it propagates through threaded tony speeds and also our data sharing program so how the sample share ours the diminished generated how they probably 22 others rotation speeds next thing you’re interested in this operation security solution to files to these places are you going to buff the episode what are they going to see what are they going to know what time are they going to know that’s what we also kept and whenever I look at a lot of examples you keep seeing malware that employees these new methods to detect the sandbox is at the ryman we wanted to see if that worked and how advanced you have to be to actually detect the different sandboxes that people are using at least in commercial rain-free implementations of those so with our experiment we created a sensor and we created a couple versions of that sensor and submit it to different sandboxes on the server side we just gonna HTTP tornado app and bind dns servers and we included the execution time in the delay mean that hooked up as well as the campaign ID so we could track which sandbox we submitted to we spit into 29 different sandboxes well 29 different samples to 29 different animals San glasses and then they watch the travel to go vacuum we these are some of the snail us as we submit to they may include our own sandbox because we want to see what happened when we ran things with our configuration with our sensor this is some of the information we brought back and we we just enumerate the host we take a look at the socket base we use scientist communications instead of when I met so there wouldn’t be an indexed I’ve attitude we created a monkey and we deleted lucky and we did that because we wanted to see the validity of the results that the sand boxes were returning people to see if they were monitoring everything or they were just doing a snapshot before and after and comparing and then we exited the process there wasn’t any remote access capability it didn’t allow them to download any files that didn’t allow you to have a reverse shell anything like that just be clear nothing that are such a dick was malicious in any way so it’s just a new merging the host and the communicating details about those back to us for research purposes so just morally clear using the details to remember CPUs username process list currently running processes they’ve had a ram on the machine the machines local IP address the machine is hosting the hard drives sorry all the drives hard drives removable details of alba details about the bios and so literally this is all this sort of data we collected really the goal kind of identifying features of malware sandboxes name or fingerprint of all just to do for the research when we were building this we wanted to make it kind of look like malware them and we tried to make it look like 18 hours as much as possible a lot of 18 hour

what cat does a lot of that host enumeration that lead and we also took a sample of our from a family called Wi-Fi if their entire and we model our HTTP communications after them this is the wmi communications of musa cisco packet bracket there and puts faces before encoded zealand compressed data and then this was an hour HTTP job which was seeing the compressed and business people are coated inside of a packet captures that worked pretty well but we evolve our sample to do a little bit more so as we go through this research we spent our first time around with samples to do all these different sandbox as we noticed quite a few of the samples were getting executed where we weren’t seeing HTTP requests so all we’re seeing is TS about we figure a bunch of these numbers have obstacle walkie TCP connections so when that happened all we can see is it means of execution that we could not see Oh sandbox environment so one of the goals was to see if we get determined really it as widespread as possible those details so the next thing that we did we evolve our sensor when I did a very simple dns curtail so same sort of things before we see live compressed all the data were sent back we hexic go to that we split across displayed across chunks of gina’s packets really just doing simple multiple DSD record it requests and then capturing all that data on the wrong side and then decoding so everyone keeps saying that a tease then you’re not going to get any good detection from this when we first met our sample was that is true in getting all of our samples were shown as being completely benign we have a pseudo anti virus infections which kind of we should have since it’s not really number but over time over a lot of a month later by this code will end up with six of our samples I have been submitted to other states and glasses and our anti virus detection range from eight out of 57 engines to 30 level 57 inches most of them noted are growler no dollars sensor is being Zeus or after and one of the other interesting pieces of it was that as time went on the amount of a the engines noting as malicious increased so kind of part of this research goal was to figure out how information properties from these malware sandbox is really through research community so first question is sharing about me I think everyone kind of knows that that happens to the answer to that is yes actually quite a bit of sharing so we found because each sample submitted to eat it miss different same boxes with unique and added so many campaign ID we could track where we submit the sample here with ABC got executed here here here here over time so some places we found propagate a sample to rule out of town of the places also execute the sample so when that sample gets executed generates a ton of network traffic you can see the vantage points for the network traffic in front if they do HTTP request you can see the source IP of there where he came from so we can see the dns server and course I TV from all these different locations allowing these places also i would say at least prepared for operational security a we’re doing it from their own corporate network every major TV company was representative in these our logs so this kind of goes to show you a little sample to most of these sandbox servers or services and data will give up interviewee companies you lose complete control over it they will execute it and likely to a lot more the other ones we found because may go the campaign ID and the time step of execution in the domain name we would see samples good attitude the initials can watch this video too and then over the course of weeks and days later we see Tina’s resolutions coming into the same exact convenience which we knew or not from New executions they were for executions with Yuka trace rap we could also see how it’s good to share these domains is going off and ultimately some of the domains mounted on threatens August list which we thought was really interesting because this is not my work doesn’t do anything religious it wasn’t reported from a customer we uploaded as researchers propagated through the network security researchers and envious of their intelligent students the other thing we saw a lot of the origins of the traffic’s with direct connections to RC to server and dns resolutions came directly from the program networks of

lead rabies as well as several several security product companies so just to reiterate you stupid snow samples your money sandboxes you lose complete control over it tip-off will be tipping off the episode where it show a lot more detail slides to accuse the domains that brought up with a dry toilets piece of just three of the feet that we have access to which we thought this was kind of interesting so this is just a timeline of events first remaining first he has a resolution observed soon after t HTTP requests that’s just a few seconds apart and then the following day ones that one two three insurgency very similar the next one’s TS resolution observed add into threaded talking to be in later on bch the request which this is a little curious so they’re two hours later with somebody HTTP requests a secret is not not sure if they are buffering or blocking these http later or in very very much delay system but we thought that was interesting and then similar batter for the last night so one other thing we did was you’re taking a look at all the sandbox Eyed Peas and this was just out of curiosity be had we have tons of foreign intelligence data and then we have the sandbox and he’s interacting with other system three just for curious if you take the sandbox eyed peas and look it up with our intelligence databases what God what comes out of it so all the same box at ease that made a valid post so this is this means they’re actually allowing HTTP TCP connections how about 15 then we’re also identifying some of their intelligence these six of them were from tour so this shows us some of the sandbox winters actually writing this down to tour that’s not a bad idea encourage your trash loaded if you’re writing this and if your corporate network you would identify you one was an anonymous proxy also probably not a bad idea ice cream or all the others were kind of interesting because because they save us allow about TCP connections there’s avenues for reviews so of all the other like he’s identified their did find oddities so this is a lot of times means they connected to someones sinkhole which is not surprising on our does it teenis resolution for Lucius domain that’s been single by researcher that I keep the next a mystical so that makes sense spam IDs sort of thing and whatnot bounty skechers go some of that span was out they thought that they get out into a list resourceid sting at least very similar nature and the last thing is he’s one of interesting served to Old River was compromised ip’s so one of them showed it was a victim in a hockey logger.log not surprising but interesting convos so as far as a timeline of activity here we first submitted this up on Friday and a lot of places made DNS connections to us and then just a few of us a RCT server the more interesting thing was on the Monday morning it seemed that everybody had their roles uploaded stars fell over something and all of a sudden we had a large amount of HTTP request to our to our HTTP server the second submission about what was I think maybe a month later we received a lot of the answer request again but that made sense because we were using the GSC to it doesn’t have time for your car one of the other interesting things America rember in the middle of the week then the second league we started to get a lot more DNS resolutions we don’t really know the I that occurred maybe it was that this information having uploaded to those portals and people were resolve those and try to scrape those see two different sandbox books on that point but we received a lot more traffic during that time period but one of the most interesting things occurred on the twenty-fifth of August during that time period there was a handful of IP ban shy keys that started hitting our HTTP server and they were really obviously trying to enumerate vulnerabilities and directories on my service and I think our server would respond to anything correct yeah so it was headed kissing to see that one of the other features that we wanted to enumerate here was based upon all of the reporting of malware detected sandboxes with these different advanced techniques one of those advanced techniques obfuscating oficio boxes or is it much easier to vanilla at

the different sandboxes so you know later and said whatever those was also see can be finger with the sandbox is it powers is do you need some of the more advanced techniques that have talked about it I have that activated security research literature so that’s when we flex well my data mentioned earlier so this is just kind of listening some of this up when we found and two runs on three sort of system process this a lot of times they said these mailboxes run over be aware that’s not surprising that’s not dead giveaway with our sandbox but it can be an indication I know a lot of devices are looking to using advertised oh so you can’t just rely on us but we take def they see a lot of this this research the mac address seems we’re going to take the mac address look if it’s a pretty wife around bleeding just looking to see what the interim a city TMR does the most representative system we found so long as in our sandbox is also not surprisingly music there are a few others that were can also show up in some of these actually look like they’re trying to cover their tracks money would like it wasn’t super fly system going down with violence seems to be more the most popular boxing gym you were kind of interesting as they both personalization remarks you’re both extremely probably used elisa universal so these are start to kind of get you closer to tell you this is probably a sandbox disk size same sort of thing how many people do you know have a 20 gig hard drive on their machine I’d say probably not very many unless you’re running a tablet we did some market research and you can still buy machines with small hard drives but they’re almost all tablets the smallest that I could find was 32 gig so all these you know very small hard drives our client are likely to be pretty anomalous in an enterprise setting so if you know bad guys are submitting samples or bad guys are key if they key in on your disk size in the machine this could be an indication that you’re owning in the sandbox I especially taken with any with this other criteria that we’re talking about Ram same sort of thing 1 gig of ram was the most popular setting on all these systems how many enterprise computers do you know run with just one gig of ram may be quite a few most systems we’ve seen come with two gigs so this is also kind of telling that’s right and then lastly and this is also another you know interesting tell was the exe renamed so how often do you download something and then rename it to sample that exe Mallard exe or take the md5 of the sample and rename it to that before you run it so this is as a normal user who likely that’s the target of malware they’re not going to do this researchers are going to do this this was very very prominent in almost every sandbox we looked at not every one of them but most of them so there’s kind of a lot of towels none of these are sophisticated but taking in aggregate you can really start to kind of zero in on is this a you know a sandbox or is this a user yeah one other feature was the number of drives connected you know most virtualized hosts that people run your citrix your VP VMware hosts in corporate environments will have multiple drives connected to them even if they have that small fixed disk so in our view all of the things that malware authors are doing to try to detect sandboxes are way too advanced you can detect the sandbox is much easier than that if you just look at the CPU count and look for disk size smaller or equal to 60 gigs and the other thing was none of the sandboxes were running a web browser and pretty much everybody’s computer is running a web browser these days if you just look for those things you will probably detect ninety percent of researchers machines or or sand boxes so one of the thing I just wanted to kind of key in on so we thought this is kind of interesting so the number of sand boxes were and these are diverse and boxes these are not the same ones or we submitted you know across different campaigns that we did had the same user names same host names same disk size same CPU count pretty much are very very similar across the images so what this kind of what this tells us is people are sharing images so they’re taking a winter’s image that’s identical and they’re just sharing it out so this from an operational security standpoint is incredibly bad this basically allows the bad garden to kind of zero in on what to look for in my in a sandbox and you can tell with not a lot of effort what if you if you to do this sort of like data collection really what to look for and how widely propagated these images are I don’t really want to go into too much detail because we don’t want to make a hell two for how to do that but it’s it’s it’s pretty bad yeah there were

really only four sandbox images that we were seeing repeatedly and they were the same image just over and over and over again from many different places fairly interesting so our lessons learned were that most people are using those Sam sandbox images and that AV thinks your file was malicious regardless of its capability our our sensor didn’t have any remote access capabilities it did the same thing that a lot of JavaScript that’s on web pages does and we were marked as malicious especially the more that they were shared that seemed to be the key item that they were keying in on also if someone submits an adversary sample to a malware sandbox they will be t they will be tipped off immediately the other thing is you start to see how it propagates out to all these different security companies or using pre poor operational security doing things directly from their network directly connecting to the CT servers from the network directly doing DNS resolutions to that network so it definitely tips off the adversary if the sample gets uploaded just because of how widely spread it gets executed how widely spread the traffic that gets generated from the systems gets spread and then resolved through you know dns resolution systems passive DNS systems those sorts of things so some of our samples we submitted I think about a month or two ago the CTU domains are still being resolved today so they’re still looking them up so it’s it’s a dead giveaway so just something to be mindful of as you use these systems it’s it’s basically tipping tipping your hand if this is a targeted attack your tipping your hand not only can they you know look and see is my is my philo house showing up on any of these free sites they see the traffic immediately so keep that in mind next Santa boxes can be fingerprinted basically trivially very very simple techniques you don’t need anything advanced most of the advanced techniques that we have we saw were mainly about keying in on virtualization so is this brownie and virtualization setting or not that’s not really needed to detect sandboxes so may or may not be virtualized but it’s likely going to have you know the same hostname very small disk size very small RAM size only one cpu you know most CPUs today have more than one core so it seemed one cpu along with the other features we mentioned is kind of anomalous for enterprise settings all these very simple things can be used to come key in on that and then lastly you get what you pay for these services are free we don’t mean to knock them in any way but you know keep that in mind as you give the state outbound you lose complete control over it I also wanted to we kind of stepped over a couple of things earlier the sharing of the sample is how far they were shared the one of the sandbox is we submitted to we saw more than 500 over a two-week period we saw more than 500 other clients IPS hit our server and more than 200 HTTP actual requests running our malware or our sensor to our C 2 server the other thing was this was really easy to create it took us less than 40 hours total to stand up the server to put together the two different sensors and to submit them to all this sand boxes and the part of the experiment that took the longest was submitting them to all of the sand boxes so and that that’s all we actually had this was much quicker than I thought I was going to be with 23 slides does anybody have any questions yeah so we’ve been working with some of them the question was have we shared information back to the providers of the different sand boxes and such we we have with some of them not with all of them a lot of it is just getting a hold of the right people so our plan is to disclose all of our findings in great detail to all these vendors we just haven’t had a chance to kind of fully finish that process that’s why we left a lot of detail out of the talk so we didn’t we didn’t go into great detail on each sandbox provider really didn’t want to create a how-to for how bad guys can do that sort of thing but we’re still kind of working through responsible disclosure the question was it do we feel our if

our sample got shared with the dark side it’s possible if they’re monitoring these sandboxes a lot of these sandboxes allow you to download the files directly from them they would really need to be looking for them a lot of times a lot of these places have you know millions of uploads per day so it’s kind of a sea of data we we definitely saw that some places are downloading all them out we’re from these these sand boxes and executing every one of them I would guess those are all AV companies they’re just based on my data we have so the question was what do we recommend that the sandbox vendors do to mitigate the threat I suppose to us the biggest threat was more to the end users and the end organizations so going into this we kind of knew that people would share the samples and they would run them we didn’t quite know to the level of activity that we would see that that was kind of amazing and additional additionally was like how regular the activity was a couple companies hit us every hour on the hour so that that’s kind of interesting to see so our takeaway was that people that are responding to a targeted intrusion or what they think is a targeted intrusion that it’s in their best interest to actually run those things in a closed sandbox environment rather than on the open web you know you can you can do that with REM Knox with fake net if you don’t want to set up a separate Linux side or with a lot of other tools as well the sandbox providers themselves there’s a lot of work that they could do to improve their platforms you know maybe improve the disk sizes improve the memory sizes and the RAM sizes those are all things that have been disclosed and talked about before we just wanted to see how useful those things actually work there’s a lot of and one of the things that came out like last week was samples of you patri that were doing like a get to count to see how long the host had been up because I guess their assumption is that some sand boxes will just reset and restart the image each time with a short amount of time from boot to when it’s rung but you could easily work through that by just starting up an image that’s already been up for 30 minutes or something the only thing I would add to that is some of the like free open-source sandbox platforms I think could either help with either documentation or automation to change the configuration of the images so images are going to be shared that’s a fact but you could do stuff right before they sent the malware execute to change host name change the bios settings change a bunch of features of the vm or at least how the vm looks to the malware sample also not rename the sample before running a bunch of different things that they could do i think to kind of help enable people who run these locally because a lot of these same platforms are run locally by researchers they’re just this finger printable if you run locally so I think those are things that could be done did we see any complete failures or someone took our sample and ran it not in a sandbox but in some sort production environment I don’t I don’t think so it might be hard for us to detect that to be honest but I don’t I don’t think that happened we could probably say that that most likely did not happen because all of the disks were like 20 gigs and 30 gigs in size it’s so what percentage of the providers actually try to call back in terms of good question yeah so I guess eight of them is that 88 of the sandbox providers actually connected to us with the HTTP traffic 22 of them connected made the DNS lookup out of 29 there were some places that made no connections whatsoever to our sites that that was that was interesting a lot of the connections to our systems were made after they had been shared from that original provider out and that was interesting the only place that most of the places that you select private on end up sharing those samples to other AV providers which was an interesting

finding of ours Oh Oh question was do we look at the except for use policy and data sharing policies of these places after we saw how data propagated we have not done that yet that would definitely be interesting to see if there’s conflict I would like to continue this research and I think there’s a lot of other directions we can go with this yeah I would like to do that yeah specifically around the how the indicators ended up on thread indicator lists that were being deployed in people’s production blocking scenarios that that’s kind of the most interesting portion to us at least to me it weighs oh yeah so the most prevalent DNS servers were google dns and the most prevalent HTTP servers or HTTP clients were amazon web services so a lot of people are running sandbox is on amazon web services and a lot of people are using google dns 88 and all of that comes back as google translate and most frequently at least that we were seeing did we really act at all oh well we would have been doing the detection although we did we created the samples in such a way that we were actually specifically trying to trigger one of our colleagues yarra roles that were up on virustotal and that did succeed and neville it’s fun he wasn’t really happy with us after a couple of days and just kept sending messages back to us any other questions Jeff grafter I guess no so the if we upx pack them they were almost always detected as Zeus amongst some Navy vendors but then some of the samples that were TPX packed were also detected of Zeus and then they were detected as a grafter I have no idea why they were if anything by using the and you might remember this from when you took my class did did we do the Chop Shop module it no okay so the way that we did the HTTP communications I was really curious to see will any AV vendors use the network traffic to try to trigger off of that and classify the malware or the sample was something and as was specifically using that to try to see if that would happen and that didn’t happen so that was kind of interesting anybody else cool thank you