Question about sandboxing

[0xDEADBEEF 43]

There is a question that long baffles me...

Since the Turing machine cannot decide whether a certain portion of code will be executed or not, detecting malware is theoretically undecidable unless the malicious code is triggered under some conditions. One might argue that the problem will be partially solved by constantly monitoring the program behaviors in the background. However, I feel this is particularly a bottleneck for detection methods that execute the sample, collect the behavioral trace, and gives a verdict within a limit amount of time. For example, how does the automatic sandbox that usually runs a sample for several minute to examine malicious apps that will be triggered under certain condition (e.g. some samples only execute malicious code with certain username/language settings/etc., some samples are with UI and requires/asks user to perform certain actions to let the program proceed to the malicious code section, and theoretically some can wait a year and then detonate the malicious code). Is there a way to examine multiple execution paths easily in such dynamic analysis? and perhaps intelligently skip these malicious barriers? Static analysis on the other hand seems doesn't have this problem, but of course is having troubles with heavily obfuscated code.

Edited June 7, 2018 by 0xDEADBEEF

[itman 1,659]

Employing "sleeper" malware has always been an effective sandbox bypass method. Such malware doesn't activate for minutes, hours, days, months, and in a few isolated cases, years. Backdoors are a great example of this. I believe in the WannaCry incident, the backdoor was activated a few weeks after it was initially downloaded.

Current malware is increasingly becoming sandbox "aware" in that if it detects same, it will either not download the primary payload or if previously done so, delete it prior to execution. In this regard, sandboxing "did its job" in that it indirectly prevented the malware from executing. Likewise, a persistent sandbox issue has been many software, legit or malicious, will not execute properly in a sandboxed environment.  

Local based sandboxing can best be described as a containment mechanism. Its purpose is to prevent the malware from doing anything malicious to anything existing outside of the sandbox. It doesn't not prevent malicious activities within the sandbox itself; a fact many times overlooked by folks with sandboxed browsers who believe the browser itself is protected.

Cloud based sandboxes and their local based virtual equivalent ones such as the Cuckoo sandbox are used primarily for malware determination status. Whereas process execution in this environment if properly constructed is more likely to succeed , sophisticated malware will most likely be able to detect it is executing outside of its targeted device and alter its behavior accordingly. Most cloud based sandboxing including those employed by AV vendors do not run a process for an extended period of time that I am aware of. Logistically, it is just not economically feasible to do so. 

Finally, properly evaluating process execution behavior for malicious characteristics within a sandbox frankly requires advanced security training; something not as a rule exists in most corp. IT environments.

Edited June 7, 2018 by itman

[0xDEADBEEF 43]

24 minutes ago, itman said:

Employing "sleeper" malware has always been an effective sandbox bypass method

Yes, most modern sandboxes are now able to skip basic sleep functions. However, there are many ways to sleep so there is no all-in-one solution to avoid this issue (last year I found a simple method to bypass MSE Engine's such counter measure, not sure if they have fixed it)

27 minutes ago, itman said:

In this regard, sandboxing "did its job" in that it indirectly prevented the malware from executing

Yes. Though I am not referring to sandbox that is used for this purpose. I personally find sandbox of this usage very confusing regarding user experience. It is more for pros and doesn't help tell if a untrusted file is malicious or not (unless the malicious behavior is too obvious)

29 minutes ago, itman said:

Cloud based sandboxes and their local based virtual equivalent ones such as the Cuckoo sandbox are used primarily for malware determination status

Yes, I can't tell how many times cuckoo can't unroll the behavior of a malicious sample. Some need specific user interaction (like the one that allures the user to click a button and then decode the malicious payload and destroy the MBR, or the ones that detect the existence of certain process that fall outside of traditional anti-vm tricks but very effective to target users with certain language backgrounds). Some will send network beacons and only activate on certain IP regions (some public sandbox services I am aware of don't allow such connection to go through for security purpose). I feel an automated system is powerless against such tricks unless there are some secret sauce that I am not aware of. I've heard some using symbolic execution and fuzzy test and try to discover more execution paths. However, I believe malware authors can make it difficult by exponentially increase the number of such paths and make it difficult to track. hmm.

[itman 1,659]

I do have one question in regards to Eset's new Enterprise sandbox offering. Presently Eset doesn't detect global keylogger activity. Case in point.

Attacker deploys a .Net based global keylogger running from PowerShell. For Eset's cloud scanning to detect this keylogger activity, it will have to be employing an engine that has behavioral detection capability. So will Eset be using a new engine in the cloud with behavioral detection capability?

[0xDEADBEEF 43]

3 hours ago, itman said:

I do have one question in regards to Eset's new Enterprise sandbox offering. Presently Eset doesn't detect global keylogger activity. Case in point.

Attacker deploys a .Net based global keylogger running from PowerShell. For Eset's cloud scanning to detect this keylogger activity, it will have to be employing an engine that has behavioral detection capability. So will Eset be using a new engine in the cloud with behavioral detection capability?

My best guess is they have their in-house kernel logging implemented in the cloud.

 

hah, I found this article: https://www.vmray.com/blog/analyzing-environment-sensitive-malware/

To detect environment-sensitive malware and thus hidden functionality, we combine Intel’s new Processor Tracing Feature with powerful analysis techniques and sophisticated heuristics:

• We utilize Processor Tracing information to determine code coverage in memory dumps of the monitored processes, i.e. identify all code locations that have not been executed during analysis.
• From these untriggered code locations, we identify the subset of ‘interesting’ functionality, e.g., by discarding error handling routines.
• Then we track back execution flow from these ‘interesting’ non-executed code locations to preceding conditional branches that depend on environment settings, e.g., functions that obtain the current time or keyboard layout.
• Symbolic execution is then applied to identify paths (conditions) that lead to the hidden functionality.
• On these paths we use a solver to generate concrete values to trigger their execution.
• Finally, we reanalyze the sample and make sure that all environment queries result in the values needed to reach the hidden functionality.

So seems there it is adopted in come cutting-edge sandbox services (or not so cutting-edge from a pro's view)

And some related slides: https://www.slideshare.net/FabioRosato/symbolic-execution-of-malicious-software-countering-sandbox-evasion-techniques

 

Edited June 7, 2018 by 0xDEADBEEF

[itman 1,659]

25 minutes ago, 0xDEADBEEF said:

I found this article: https://www.vmray.com/blog/analyzing-environment-sensitive-malware/

Interesting indeed. Appears they get into in depth code analysis to "root out" the triggers sleeper malware employs.

SC Magazine did a review of it here: https://www.scmagazine.com/vmray-analyzer/review/9401/ . Cost $2700. Obviously in the range a SMB would think about twice about before shelling out. Also this comment:

Quote

To use it you need some, but not a lot, of prior knowledge about malware analysis so that makes it a perfect tool for the intermediate or senior security engineer just adding malware analysis to his or her tool kit.

Wonder how many SMB's have one of those employed full-time?

Also SANS did a recent in-depth review/analysis of VMRay here: https://www.sans.org/reading-room/whitepapers/analyst/vmray-analyzer-rapid-malware-analysis-incident-response-ir-teams-38325

Edited June 7, 2018 by itman

[0xDEADBEEF 43]

20 minutes ago, itman said:

Wonder how many SMB's have one of those employed full-time

perhaps they are targeting large enterprise customer. Their sample report seems to be very detailed

Plus, some more discussions about the countermeasures against some evasion techniques I mentioned in the prev post: https://www.first.org/resources/papers/conf2017/Countering-Innovative-Sandbox-Evasion-Techniques-Used-by-Malware.pdf

I should have found these materials earlier.. guess I should try more search keywords next time.

I believe ESET and perhaps other large AV vendors also have in-house sandbox with such capability, otherwise there will be a lot of samples that will slip through

 

BTW, Cuckoo has just released a new version today, sadly not with the most anticipated feature.

Edited June 7, 2018 by 0xDEADBEEF

[itman 1,659]

Speaking of the Cuckoo sandbox, this is something Eset could implement in their retail and endpoint versions. VoodooShield for example has it even in their free version.

Edited June 7, 2018 by itman

[itman 1,659]

Here's the latest salvo from the never ending Microsoft propaganda machine in regards to Windows Defender under the auspicious of Office 360 malware detection. I have underlined the relevant parts in this article extract:

Machine learning vs. social engineering

Quote

When the Windows Defender AV client encounters an unknown file, lightweight local ML models search for suspicious characteristics in the file’s features. Metadata for suspicious files are sent to the cloud protection service, where an array of bigger ML classifiers evaluate the file in real-time.

In both the client and the cloud, specialized file-type ML classifiers add to generic ML models to create multiple layers of classifiers that detect a wide range of malicious behavior. In the backend, deep-learning neural network models identify malicious scripts based on their full file content and behavior during detonation in a controlled sandbox. If a file is determined malicious, it is not allowed to run, preventing infection at the onset.

File type-specific ML classifiers are part of metadata-based ML models in the Windows Defender AV cloud protection service, which can make a verdict on suspicious files within a fraction of a second.

https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering/

1. WD does suspend any unknown file execution while cloud scanning is underway. Actually, Win 10 native SmartScreen which not part of WD will block the execution of any unknown .exe file to it as long as the file was downloaded from the Internet. So Microsoft's statements are misleading. It is performing local based heuristic analysis like any major AV product does.

2. If cloud scanning determines the file malicious, it will blacklist it in native SmartScreen. Again, all major AV vendors have similar execution blacklisting capability.

3. The most audacious claim is that its cloud scanning can detect malware and relay that status back to the requesting device in micro-seconds. The reality is any advanced malware cloud evaluation will take much longer. WD's "out-of-box" default scan duration is 30 secs. or less I believe. Once that duration has elapsed, the process is allowed to execute unimpeded. 

The problem with this type of "phony baloney" publication is I am increasingly seeing recent web publications that recommend Windows Defender is now ready for endpoint protection. Although these publication sources are of dubious origins, they are undoubtedly being read and considered by CIO's in organizations where budget constraints are a factor.  

Edited June 7, 2018 by itman

[itman 1,659]

There is one area where process suspension and cloud sandboxing with analysis needs to be mandatory. That area is PowerShell unknown script execution.

Malware Research Group last year performed an ad hoc analysis of major security products in their effectiveness against obfuscated malware scripts:

Current state of malicious Powershell script blocking: https://www.mrg-effitas.com/current-state-of-malicious-powershell-script-blocking/

The purpose of the test was to evaluate the use of Win 10's Anti-malware Scan Interface (AMSI) by AV vendors in the detection of obfuscated malware PowerShell scripts. AMSI is a type of in-memory sandbox that allows for inspection of scripts after they "decloak" prior to their execution. For those not familiar with PowerShell script obfuscation, PowerShell will ignore certain characters that are imbedded within a script. This makes the script code indecipherable to both human and as shown in the MRG report, most AV products local heuristic analysis. MRG employed three levels of obfuscation in their test which were classified as basic, intermediate, and advanced:

• 58% of tested products were able to detect the obfuscated script malware at the basic level.
• 41% at the intermediate level. Of note is Windows Defender which "supposedly" does cloud scanning of suspicious scripts, failed at this level.
• 25% at the advanced level.

The advanced level test particulars are:

Quote

Now, let’s use Invoke-Obfuscation developed by Daniel Bohannon – @danielhbohannon on Invoke-Mimikatz, and use IEX for in-memory execution.

These vendors blocked the attack:

• AVG/Avast (blocked the password stealing)
• Hitmanpro.Alert Beta* (blocked the password stealing)
• Update 2017-08-10: Latest Kaspersky Internet Security 2017 blocks the attack (blocked the password stealing)

* The new technology in the Sophos’ HitmanPro.Alert beta is set to be included in Sophos Intercept X.

Interestingly, none of these vendors alerted about the attack, both allowed the Powershell Mimikatz to run, but blocked the password hash stealing. But it was blocked so kudos for them!

Eset passed both the basic and intermediate level tests.

Edited June 8, 2018 by itman

[0xDEADBEEF 43]

18 hours ago, itman said:

The most audacious claim is that its cloud scanning can detect malware and relay that status back to the requesting device in micro-seconds. The reality is any advanced malware cloud evaluation will take much longer. WD's "out-of-box" default scan duration is 30 secs. or less I believe. Once that duration has elapsed, the process is allowed to execute unimpeded. 

I think it is doable, as long as the client engine can extract feature vectors locally and only send those information to the cloud for large model verdict... As they showed in the article, the detonation-based model (cloud sandbox) requires minutes, but preliminary static examination takes much less, similar to Avira's strategy

 

However, I've not used WD for a long time, so I don't know if their claims match the what the actual product does. I guess document protection is sort of different from WD's cloud scan. And I agree with your comment about the smartscreen, it is sort of anti-exec tool from my user experience, not that "smart"

Edited June 8, 2018 by 0xDEADBEEF

[itman 1,659]

4 hours ago, 0xDEADBEEF said:

I guess document protection is sort of different from WD's cloud scan.

WD e-mail scanning:

Quote

Email scanning limitations

We recommend using always-on real-time protection to protect against email-based malware.

Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended setting for scanning emails.

If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:

• Email subject
• Attachment name

Warning

There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:

• Scanning Outlook files in Outlook 2013
• Scanning email messages in Outlook 2013

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus

The detection quoted paragraph would lead one to believe that e-mail malware remediation is not automatic.

-EDIT- Forgot to mention the main difference between Eset and WD e-mail scanning. WD does not have a web filter as Eset does. As such, e-mail cannot be scanned by WD until it actually "hits the disk."

 

Edited June 8, 2018 by itman

[itman 1,659]

Another point about WD is its "out of the box " default settings are not configured for maximum protection. I am posting below how this is done. Also their are ways to do the same without Group Policy settings by using equivalent registry settings. This leads me to believe that WD settings on Virus Total and possibly for recent AV lab tests are so configured. If you review recent realtime AV lab tests, there are a number of behavioral "user decision" hits that support my assertions that WD is running w/o default settings. The settings in red are changes from default settings:

Quote

Confirm Block at First Sight is enabled with Intune

1. In Intune, navigate to Device configuration - Profiles > Profile name > Device restrictions > Windows Defender Antivirus. Note: The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.

2.Verify these settings are configured as follows:

• Cloud-delivered protection: Enable
• File Blocking Level: High
• Time extension for file scanning by the cloud: 50
• Prompt users before sample submission: Send all data without prompting

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus

Edited June 8, 2018 by itman

[itman 1,659]

To dispel any "allusions" that Windows Defender is ready for enterprise level protection is the AV- Comparatives enterprise solutions comparative test for Mar. - Apr., 2019 here: https://www.av-comparatives.org/tests/business-security-test-march-april-2018-factsheet/

For this testing, WD's file-level blocking was set to "high" which would correspond to its default Win 10 Enterprise setting. Out of 620 malware samples, WD detected them all but 31 of them required user interaction to block/allow with also 4 false positive detections recorded. This level of use interaction would clearly be unacceptable in most corporate environments.

Eset on the other hand scored 99.4% in this test with zero user interactions and false positives. Eset was also tested at default settings.

[0xDEADBEEF 43]

3 hours ago, itman said:

Eset on the other hand scored 99.4% in this test with zero user interactions and false positives

however, the result from page 5 seems to be inconsistent with real-world case..

[itman 1,659]

10 hours ago, 0xDEADBEEF said:

however, the result from page 5 seems to be inconsistent with real-world case..

I didn't review the .pdf initially. Different malware tests were evolved:

In the Realtime comparative which Eset scored 99.4% :

Quote

The results are based on a test set consisting of 620 test cases (such as malicious URLs), tested from the beginning of March till the end of April.

In the dynamic Malware Protection in which Eset scored 97.8%:

Quote

The Malware Protection Test assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. The methodology used for each product tested is as follows. Prior to execution, all the test samples are subjected to on-access scans (if this feature is available) by the security program (e.g. while copying the files over the network or from a USB device, or saving from webmail). Any samples that have not been detected by the on-access scanner are then executed on the test system, with Internet/cloud access available, to allow e.g. behavioural detection features to come into play. If a product does not prevent or reverse all the changes made by a particular malware sample within a given time period, that test case is considered to be a miss. For this test, 1,470 recent malware samples were used.

The "reverse all the changes made by a particular malware sample" leads me to believe the primary reason for failure. In any case, Windows Defender scored 99.9% in this test assumed due to cloud behavioral analysis that required user interaction. Note that no mention of like activity is mentioned in this section nor does it appear any penalty assessed for it. 

Edited June 12, 2018 by itman

[0xDEADBEEF 43]

1 hour ago, itman said:

The "reverse all the changes made by a particular malware sample" leads me to believe the primary reason for failure.

yeah this makes sense. Usually AMS detection will have some harmless side-effects remaining on the test machine, so if these side-effects are counted as failure, ESET will for sure to get a bit lower score...

[itman 1,659]

One other point about the AV-C Enterprise Malware Protection test extracted from the above posted quote:

• or saving from webmail

Enterprise endpoints do not receive e-mail via webmail but via e-mail client software; predominately Microsoft Outlook. Eset and select other endpoint security software employ web filtering to scan client e-mail and any attachments at the network level prior to file creation on the disk. Windows Defender which lacks web filtering scan capability obviously does not.

It is "discrepencies" like this in recent AV lab testing which leads me to believe accommodations are being made on Microsoft's behalf. So one really has to pay attention to current test details.