Malware, Sandboxing and You : How Enterprise Malware and 0day detection is about to fail (again)
Jonathan Brossard (Toucan System)
26/10/2013
Who am I ?
-Security researcher, publishing since 2005.
-Past research : vulnerabilities in BIOSes, Microsoft Bitlocker, Truecrypt, McAfee Endpoint (Defcon 2008), PMCMA debugger (Blackhat USA 2011), « Rakshasa » supply chain backdoor PoC (Blackhat 2012), 2 SAP notes (2013).
-Speaker/trainer at HITB, CCC, Ruxcon...
-
Disclaimer : contains research
This was supposed to be a short research on finding/exploiting a few cool low level bugs in sandboxes.
It ended up leading to more questions than answers on my understanding of what the industry is doing in the AV/sandbox space.
If you have better understanding, I'd really like if you took the time to explain me
([email protected],+PGP).
Disclaimer (rephrased)
WTF is the AV industry doing ? Well, I'm not so
sure I understand anymore ...
What's hot in the AV industry in
2013 ?
AV industry : 2013 trends
-Desktop AV is essentially a thing of the past
-Focus moves technologies hopefully able to « detect 0days »[1] like sandboxing.
=> The new cool thing is emulation and sandboxing.
[1] Don't laugh yet.
How it all started... (/story telling)
(Adobe Sandbox bypass)
Adobe Reader and Acrobat 9.x before 9.5.4, 10.x before 10.1.6, and 11.x before 11.0.02 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDF document, as exploited in the wild in February 2013.
(Adobe Sandbox bypass)
Their « analysis » :
Here is the sequence of the ROP shellcode: msvcr100!fsopen()
msvcr100!write()
mvvcr100!fclose()
kernel32!LoadLibraryA()
kernel32!Sleep()
Upon loading the malicious library, it will enter a long sleep and ensure that the thread has not crashed because the whole stack in the thread is already manipulated for creating a ROP chain.
Their « analysis » :
Here is the sequence of the ROP shellcode: msvcr100!fsopen()
msvcr100!write()
mvvcr100!fclose()
kernel32!LoadLibraryA()
kernel32!Sleep()
Upon loading the malicious library, it will enter a long sleep and ensure that the thread has not crashed because the whole stack in the thread is already manipulated for creating a ROP chain.
Their « analysis » :
Here is the sequence of the ROP shellcode: msvcr100!fsopen()
msvcr100!write()
mvvcr100!fclose()
kernel32!LoadLibraryA()
kernel32!Sleep()
Upon loading the malicious library, it will enter a long sleep and ensure that the thread has not crashed because the whole stack in the thread is already manipulated for creating a ROP chain.
=> In trivial english, this is called bullshitting. They clearly have no idea what the exploit is trying to do here.
What I believe really happens in this
case (wild guess)
Sleep 5 minutes to attempt bypass sanboxing detection – due to limited ressources :)
After all, it's a hardened exploit, found in the wild and the first of its kind to bypass Adobe sandboxing technology...
Limits of such technologies (imho)
-Good at finding artefacts (it's still « something »).
-Pretty bad at understanding what is actually happening inside the exploit.
That being said...
The raise of sandboxes...
The raise of sandboxes...
The raise of sandboxes...
The raise of sandboxes...
Note to self : I don't find quite reasonable to add to your corporate network something nobody really understands.
Note : lack of third party assessment
Note : lack of third party assessment
Note : lack of third party assessment
Note : lack of third party assessment
The whole concept of sandboxing vendors is to not have the perceived enemy take a look at the technology. Ok, agreed.
Note : lack of third party assessment
It also means no third party assessment has been done by the security
community...
In real life, having software due dilligence done by the community has proved to be a good thing for the quality of the said software.
See similar requests from Tavis Ormandi and Pipacs to have a look at Bromium's
technology...
Note : well, they're not Bromium clients, so we have a problem... as an industry, really.
Note 2 : Afaik, Bromium has researchers like Nergal and Jarred Demott. Who of this caliber works for FireEye really ?
Room for problems
(research leads)
Room for problems part I : general design/architecture
What's the trend, perceived
objective like
Current « genious » idea :
-Correlate/share more data to create information asymetry.
-To do that, most (all I've seen allow it, at least in non default mode) solutions now allow a malware to connect back to the internet [*].
[*]Idea being to correlate DNS/binary checksum informations over « campaigns » of attacks in the time.
http://www.ssl.fujitsu.com/products/network/netproducts/fireeye
A few facts on this...
-The whole corporate strategy over the past 15 years has been to segregate LANs, DMZs and the internet.
-Now you give a temporary shell to the attacker at network perimeter (proxies, mail gateways, wherever such sandboxing solutions exist)...
-… and what happens to your DNS ? To your http proxy cache ?
The
(having it both ways)
-Attacker can run a malware inside a sandbox.
-Sandbox allows attacker to connect back to the internet.
-Corporate DNS server is used as a recursive DNS server.
-Attacker has it both ways and can synchronize arbitrary spoofed packets emission from both inside and outside the network.
=> That's gonna be very « safe » for sure...
In all fairness
This could be mitigated by having a dedicated internet connection for the purpose of connecting back from the Sandbox.
Who does that ? (afaict, nobody)
Playing Pong
-What happens if the malware, from inside the sandbox manages to attack other networks (say crowdstrike !) ?
-What happens if the malware can send back a modified copy of itself to the same network (smtp?) for more analysis, and more sandbox cpu time ?
=> It's all about implementation details really.
Pong : 2013 version
Pong : DoS version
-If the malware sends 2 copy of itself to the original SMTP server...
-After n iterrations, we have 2^n copies sent back to FireEye.
-Exponential cpu load => #FAIL
Whether the security fails open or close is unknow, both are bad.
Is this « wormable » (yet) ?
-FireEye claims to work with 30 % of the TOP 100 Companies. That makes it not so hard to find...
-Their strategy is to synchronize malware information sharing... (allow exploits to drop exes on the sandboxes... ?!?)
-They cover you « 360 », from mail gateways to http proxy file downloads, etc.
-Ok, so how exactly do you prevent one malware to get endless free execution time inside your different sandboxes around the world ?
Room for problems part II :
Turning lame bugs into sandbox
Oracles
The problem
-Many online malware scanning engines run qemu (+ some various instrumentation and automation custom software)
-User doesn't get to see anything from the scanning process.
-Now, what if an attacker has a qemu lame DoS or endless loop PoC ?
Turning lame bugs into sandbox
Oracles
(aka : hacking online malware analysis tools... hrm)
Demos
Room for problems part III :
Such bugs do happen...
What degrees do projects like Xen or qemu really have in terms of security ?
A fair question is the relative maturity of such technology, not when it comes to support legacy Oses or current Oses, but hostile malware trying to hurt them.
Exempli gratia : typical bugs reported
(complexity, software maturity : format strings/symlinks or complex overflows ?)
x86_emulate: MOVSXD must read source operand just once (Xen Unstable, 21/09/2013)
Ok, so you're at miscomputing EIP on basic
instructions such as MOVSXD on 32b...
Note : this is totally exploitable imho btw.
How does that rank compared to
real cpu bugs ?
That was in 1997... The instruction is far less
used (CMPXCHG8B)
Qemu internals
Qemu goals
-(Fast) binary translation.
-Binary code is translated into an IR, which is then executed by a virtual cpu, independently of host OS/arch.
-Super generic, super fast, super portable, super cool. Truely impressive.
-Super secure for the purpose of malware analysis though ?
Qemu supports two modes
-System (full) virtualization
-Kernel emulation (wine/Windows, linux).
While many of current implementations are likely to be using the first flavour, we'll focus on the later one, which promises great speed enhancements, and a much greater attack surface... ;)
Qemu architecture
Party time !!
Qemu regression tests...
Demos
Conclusion
Interresting technologies. Cool hacking tools, usefull for researchers.
There is room for massive security problems, the devil being in the details. Imho, not ready for Enterprise grade deployment.
No such a thing as third party assessment afaict.
From a strict game theory pov, your best interrest is probably to
have others use that, but stay away from such technologies...
The
applied to silver bullet 0day
sandboxing :
« You can't have it both ways ! »
Bonus : ending the isolation myth
The Myth
«As a researcher, I run malware inside a sandbox, therefore I am safe... »
BULLSHIT !!
=> Use a network segregated sacrifical lamb instead.
Demo
Thanks for inviting me.
Questions ?