Malware, Sandboxing and You : How Enterprise Malware and 0day detection is about to fail (again)

Jonathan Brossard (Toucan System)

26/10/2013

Who am I ?

-Security researcher, publishing since 2005.

-Past research : vulnerabilities in BIOSes, Microsoft Bitlocker, Truecrypt, McAfee Endpoint (Defcon 2008), PMCMA debugger (Blackhat USA 2011), « Rakshasa » supply chain backdoor PoC (Blackhat 2012), 2 SAP notes (2013).

-Speaker/trainer at HITB, CCC, Ruxcon...

-Co-founder of the Hackito Ergo Sum and NoSuchCon research conferences (France).

Disclaimer : contains research

This was supposed to be a short research on finding/exploiting a few cool low level bugs in sandboxes.

It ended up leading to more questions than answers on my understanding of what the industry is doing in the AV/sandbox space.

If you have better understanding, I'd really like if you took the time to explain me

([email protected],+PGP).

Disclaimer (rephrased)

WTF is the AV industry doing ? Well, I'm not so

sure I understand anymore ...

What's hot in the AV industry in

2013 ?

AV industry : 2013 trends

-Desktop AV is essentially a thing of the past

-Focus moves technologies hopefully able to « detect 0days »[1] like sandboxing.

=> The new cool thing is emulation and sandboxing.

[1] Don't laugh yet.

How it all started... (/story telling)

CVE-2013-0640

(Adobe Sandbox bypass)

Adobe Reader and Acrobat 9.x before 9.5.4, 10.x before 10.1.6, and 11.x before 11.0.02 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDF document, as exploited in the wild in February 2013.

CVE-2013-0640

(Adobe Sandbox bypass)

Their « analysis » :

Here is the sequence of the ROP shellcode: msvcr100!fsopen()

msvcr100!write()

mvvcr100!fclose()

kernel32!LoadLibraryA()

kernel32!Sleep()

Upon loading the malicious library, it will enter a long sleep and ensure that the thread has not crashed because the whole stack in the thread is already manipulated for creating a ROP chain.

Their « analysis » :

Here is the sequence of the ROP shellcode: msvcr100!fsopen()

msvcr100!write()

mvvcr100!fclose()

kernel32!LoadLibraryA()

kernel32!Sleep()

Upon loading the malicious library, it will enter a long sleep and ensure that the thread has not crashed because the whole stack in the thread is already manipulated for creating a ROP chain.

Their « analysis » :

Here is the sequence of the ROP shellcode: msvcr100!fsopen()

msvcr100!write()

mvvcr100!fclose()

kernel32!LoadLibraryA()

kernel32!Sleep()

Upon loading the malicious library, it will enter a long sleep and ensure that the thread has not crashed because the whole stack in the thread is already manipulated for creating a ROP chain.

=> In trivial english, this is called bullshitting. They clearly have no idea what the exploit is trying to do here.

What I believe really happens in this

case (wild guess)

Sleep 5 minutes to attempt bypass sanboxing detection – due to limited ressources :)

After all, it's a hardened exploit, found in the wild and the first of its kind to bypass Adobe sandboxing technology...

Limits of such technologies (imho)

-Good at finding artefacts (it's still « something »).

-Pretty bad at understanding what is actually happening inside the exploit.

That being said...

The raise of sandboxes...

The raise of sandboxes...

The raise of sandboxes...

The raise of sandboxes...

Note to self : I don't find quite reasonable to add to your corporate network something nobody really understands.

Note : lack of third party assessment

Note : lack of third party assessment

Note : lack of third party assessment

Note : lack of third party assessment

The whole concept of sandboxing vendors is to not have the perceived enemy take a look at the technology. Ok, agreed.

Note : lack of third party assessment

It also means no third party assessment has been done by the security

community...

In real life, having software due dilligence done by the community has proved to be a good thing for the quality of the said software.

See similar requests from Tavis Ormandi and Pipacs to have a look at Bromium's

technology...

Note : well, they're not Bromium clients, so we have a problem... as an industry, really.

Note 2 : Afaik, Bromium has researchers like Nergal and Jarred Demott. Who of this caliber works for FireEye really ?

Room for problems

(research leads)

Room for problems part I : general design/architecture

What's the trend, perceived

objective like

Current « genious » idea :

-Correlate/share more data to create information asymetry.

-To do that, most (all I've seen allow it, at least in non default mode) solutions now allow a malware to connect back to the internet [*].

[*]Idea being to correlate DNS/binary checksum informations over « campaigns » of attacks in the time.

http://www.ssl.fujitsu.com/products/network/netproducts/fireeye

/fireeye-catalog.pdf

A few facts on this...

-The whole corporate strategy over the past 15 years has been to segregate LANs, DMZs and the internet.

-Now you give a temporary shell to the attacker at network perimeter (proxies, mail gateways, wherever such sandboxing solutions exist)...

-… and what happens to your DNS ? To your http proxy cache ?

The Katsuni-Kaminsky attack

(having it both ways)

-Attacker can run a malware inside a sandbox.

-Sandbox allows attacker to connect back to the internet.

-Corporate DNS server is used as a recursive DNS server.

-Attacker has it both ways and can synchronize arbitrary spoofed packets emission from both inside and outside the network.

=> That's gonna be very « safe » for sure...

In all fairness

This could be mitigated by having a dedicated internet connection for the purpose of connecting back from the Sandbox.

Who does that ? (afaict, nobody)

Playing Pong

-What happens if the malware, from inside the sandbox manages to attack other networks (say crowdstrike !) ?

-What happens if the malware can send back a modified copy of itself to the same network (smtp?) for more analysis, and more sandbox cpu time ?

=> It's all about implementation details really.

Pong : 2013 version

Pong : DoS version

-If the malware sends 2 copy of itself to the original SMTP server...

-After n iterrations, we have 2^n copies sent back to FireEye.

-Exponential cpu load => #FAIL

Whether the security fails open or close is unknow, both are bad.

Is this « wormable » (yet) ?

-FireEye claims to work with 30 % of the TOP 100 Companies. That makes it not so hard to find...

-Their strategy is to synchronize malware information sharing... (allow exploits to drop exes on the sandboxes... ?!?)

-They cover you « 360 », from mail gateways to http proxy file downloads, etc.

-Ok, so how exactly do you prevent one malware to get endless free execution time inside your different sandboxes around the world ?

Room for problems part II :

Turning lame bugs into sandbox

Oracles

The problem

-Many online malware scanning engines run qemu (+ some various instrumentation and automation custom software)

-User doesn't get to see anything from the scanning process.

-Now, what if an attacker has a qemu lame DoS or endless loop PoC ?

Turning lame bugs into sandbox

Oracles

(aka : hacking online malware analysis tools... hrm)

Demos

Room for problems part III :

Such bugs do happen...

What degrees do projects like Xen or qemu really have in terms of security ?

A fair question is the relative maturity of such technology, not when it comes to support legacy Oses or current Oses, but hostile malware trying to hurt them.

Exempli gratia : typical bugs reported

(complexity, software maturity : format strings/symlinks or complex overflows ?)

x86_emulate: MOVSXD must read source operand just once (Xen Unstable, 21/09/2013)

Ok, so you're at miscomputing EIP on basic

instructions such as MOVSXD on 32b...

Note : this is totally exploitable imho btw.

How does that rank compared to

real cpu bugs ?

That was in 1997... The instruction is far less

used (CMPXCHG8B)

Qemu internals

Qemu goals

-(Fast) binary translation.

-Binary code is translated into an IR, which is then executed by a virtual cpu, independently of host OS/arch.

-Super generic, super fast, super portable, super cool. Truely impressive.

-Super secure for the purpose of malware analysis though ?

Qemu supports two modes

-System (full) virtualization

-Kernel emulation (wine/Windows, linux).

While many of current implementations are likely to be using the first flavour, we'll focus on the later one, which promises great speed enhancements, and a much greater attack surface... ;)

Qemu architecture

Party time !!

Qemu regression tests...

Demos

Conclusion

Interresting technologies. Cool hacking tools, usefull for researchers.

There is room for massive security problems, the devil being in the details. Imho, not ready for Enterprise grade deployment.

No such a thing as third party assessment afaict.

From a strict game theory pov, your best interrest is probably to

have others use that, but stay away from such technologies...

The Katsuni-Grothendieck theorem

applied to silver bullet 0day

sandboxing :

« You can't have it both ways ! »

Bonus : ending the isolation myth

The Myth

«As a researcher, I run malware inside a sandbox, therefore I am safe... »

BULLSHIT !!

=> Use a network segregated sacrifical lamb instead.

Demo

Thanks for inviting me.

Questions ?