Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for...
Transcript of Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for...
![Page 1: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/1.jpg)
11/15/2017
1
Lenny Zeltser
VP of Product, MinervaAuthor & Instructor, SANS Institute
How to Beat Evasive Malware at Its Own Game
Copyright © 2017 Minerva Labs www.minerva-labs.com
Creators of malware have incentives to evade anti-malware products.
• Attackers often tweak and test malware until it’s no
longer recognized by the relevant anti-malware tools.
• The longer the specimen remains undetected, the
greater its commercial and operational value.
• Staying under the radar of security products and
vendors extents the specimen’s half-life.
![Page 2: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/2.jpg)
11/15/2017
2
Copyright © 2017 Minerva Labs www.minerva-labs.com
Malware can employ numerous techniques to evade detection.
• Avoid infecting a malware analysis sandbox.
• Stop running if the specimen is being debugged.
• Inject malicious code into legitimate applications.
• Instead of executables, use Java, scripts, macros.
• Don’t create operational issues to eschew attention.
How to Escape the Malware Chase?
![Page 3: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/3.jpg)
11/15/2017
3
Copyright © 2017 Minerva Labs www.minerva-labs.com
Anti-malware tools generally aim to recognize malware to block or disable it.
• This involves defining “patterns” for how malware looks
or behaves, so its files or processes can be identified.
• Security vendors often strive to extrapolate from past
malware samples ways of spotting future malware.
• Evasive malware varies from the expected static or
behavioral patterns to avoid getting detected.
Copyright © 2017 Minerva Labs www.minerva-labs.com
How might we avoid cat-and-mouse dynamics of the malware chase?
• Instead of looking for malware, create an environment
where malware self-convicts and disarms itself.
• Determine what malicious programs fear, and mimic
the presence of those artifacts to deceive malware.
• Draw inspiration from applied security research and
from defenses used in nature, such as mimicry…
![Page 4: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/4.jpg)
11/15/2017
4
Copyright © 2017 Minerva Labs www.minerva-labs.com
Some harmless species have evolved to imitate the signals of a harmful species.
A Few Examples of Evasive Malware
![Page 5: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/5.jpg)
11/15/2017
5
Copyright © 2017 Minerva Labs www.minerva-labs.com
Adwind is a powerful remote access trojan (RAT) with low detection rates.
• Implemented in Java
• Often distributed email attachment files
• Provides full remote control and spying capabilities
• Compatible with Windows, Linux and Mac OS
Copyright © 2017 Minerva Labs www.minerva-labs.com
To evade security vendors, Adwinddoesn’t infect virtual machines.
Check for VMware and VirtualBox artifacts.
![Page 6: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/6.jpg)
11/15/2017
6
Copyright © 2017 Minerva Labs www.minerva-labs.com
UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation.
• Targets a Windows vulnerability to execute arbitrary
code on the affected system
• Exhibits file-less characteristics by not saving
malicious components to the file system
• In addition to encrypting files, also steals credentials
Copyright © 2017 Minerva Labs www.minerva-labs.com
UIWIX stealth methods involve avoiding execution if it was being analyzed.
Check for numerous malware forensics tools.
![Page 7: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/7.jpg)
11/15/2017
7
Copyright © 2017 Minerva Labs www.minerva-labs.com
Neutrino is a multi-purpose bot with powerful capabilities.
• Includes a keylogger and other data-stealing features.
• Can participate in DDoS attacks.
• Allows the attacker to supply additional malware.
• Implements several evasive anti-analysis techniques.
Copyright © 2017 Minerva Labs www.minerva-labs.com
Neutrino’s evasive approaches include checking whether it’s being debugged.
Malware checks for the presence of a debugger in an attempt to avoid being examined and fingerprinted.
![Page 8: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/8.jpg)
11/15/2017
8
Copyright © 2017 Minerva Labs www.minerva-labs.com
Malicious programs can employ many other techniques to detect debuggers.
In this example, FileCryptor malware avoids the obvious IsDebuggerPresent API call.
Copyright © 2017 Minerva Labs www.minerva-labs.com
Other evasion methods include injecting malicious code into legitimate processes.
• Baseline anti-malware tools are unlikely to flag the
compromised legitimate application as malicious.
• Code injection can take many forms.
• These tactics misuse features of Microsoft Windows
without requiring vulnerabilities or exploits.
![Page 9: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/9.jpg)
11/15/2017
9
Copyright © 2017 Minerva Labs www.minerva-labs.com
Reflective DLL injection is one way to place code into another process.
Windows APIs allow the malicious process to write into the memory space of another process.
Copyright © 2017 Minerva Labs www.minerva-labs.com
Executing malicious code as macros is another example of evading detection.
• Baseline anti-malware tools tend to have a harder time
recognizing malware that’s not an executable file.
• Microsoft Office macros provide full capabilities to
malware if the victim activates the document’s macros.
• Modern malicious macros tend to invoke other tools,
such as PowerShell, when infecting the system.
![Page 10: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/10.jpg)
11/15/2017
10
Copyright © 2017 Minerva Labs www.minerva-labs.com
The program that a macro wishes to invoke is executed by Microsoft Office.
Security tools might allow this to happen, since the action is taken by a trusted program.
Perception Deception
![Page 11: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/11.jpg)
11/15/2017
11
Copyright © 2017 Minerva Labs www.minerva-labs.com
How might we defend against threats without trying to identify malware?
• Create an environment that causes malware to self-convict, so the specimens disarm themselves.
• Make it look like the malicious program is running in an environment it considers hostile.
• Lie to malware when it invokes API calls that are often used for evasion.
• Control the perception of malware to render it ineffective.
Copyright © 2017 Minerva Labs www.minerva-labs.com
RocProtect by Thomas Roccia generates fake processes, registry keys, files, etc.
• The artifacts make the system look like an analysis environment based on a VM with some security tools.
• It’s highly unlikely that a non-malicious program will refuse to run just because it believes it’s in a VM.
• In contrast, VM-aware malware will terminate itself before infecting the system to remain unidentified.
• This is a proof-of-concept tool.
![Page 12: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/12.jpg)
11/15/2017
12
Copyright © 2017 Minerva Labs www.minerva-labs.com
You can see the effects of RocProtect by running the Pafish demo tool.
Copyright © 2017 Minerva Labs www.minerva-labs.com
Another proof-of-concept tool is rapid_env by Adam Kramer.
• Allows users to specify a configuration file for creating
specific artifacts on the system.
• It can generate designated files, registry keys,
processes and mutex objects.
![Page 13: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/13.jpg)
11/15/2017
13
Copyright © 2017 Minerva Labs www.minerva-labs.com
For additional experimentation, look at Gal Bitensky’s “anti-honeypot” scripts.
Copyright © 2017 Minerva Labs www.minerva-labs.com
Manipulating the perception of malware can also be used to vaccinate endpoints.
• Malicious programs often create an infection marker to avoid infecting the system more than once.
• This avoids operational and stability problems.
• Such malware will not infect the endpoint if it locates its infection marker.
• In other words, we can use an infection marker to scare malware away.
![Page 14: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/14.jpg)
11/15/2017
14
Copyright © 2017 Minerva Labs www.minerva-labs.com
For example, the WannaCry worm used a mutex object as an infection marker.
Minerva’s free Vaccinator tool generates this artifact to inoculate systems against this malware.
Copyright © 2017 Minerva Labs www.minerva-labs.com
Some infection markers are not static, and have to be generated on the fly.
For instance, Spora ransomware generated its mutex name based on the disk volume serial number.
![Page 15: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/15.jpg)
11/15/2017
15
Copyright © 2017 Minerva Labs www.minerva-labs.com
Beyond proof-of-concept tools, deceiving malware in the real world is challenging.
• Actually generating artifacts leads to cluttering
endpoints with files, processes, registry keys, etc.
• Resource utilization and performance are critical.
• Anti-malware tools might react to infection markers.
• You need to avoid breaking production applications.
• Enterprises require centralized management.
Thinking Beyond Detection-Based Approaches
![Page 16: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/16.jpg)
11/15/2017
16
Copyright © 2017 Minerva Labs www.minerva-labs.com
There is a way to use evasive capabilities of malware against attackers.
• Cause malware to disarm itself by deceiving it about the results of its queries and actions.
• Create an environment that represents the greatest fears of malicious programs.
• Persuade malware that the system is already infected.
• Look for other ways to control malware without attempting to identify and disable it.
Copyright © 2017 Minerva Labs www.minerva-labs.com
“Hacking” malware like this blocks threats designed to bypass existing defenses.
• This approach creates a strong complement to
existing anti-malware solutions.
• Force malware authors to pick their poison when
designing malicious software.
• Proof-of-concept tools help with experimentation.
• Production deployment requires enterprise products
![Page 17: Author & Instructor, SANS Institute · UIWIX ransomware utilizes NSA’s EternalBlue exploit for propagation. •Targets a Windows vulnerability to execute arbitrary code on the affected](https://reader033.fdocuments.net/reader033/viewer/2022051919/600b764a30fc88491e36cdd1/html5/thumbnails/17.jpg)
11/15/2017
17
Copyright © 2017 Minerva Labs www.minerva-labs.com
Keep learning about fighting malware.
• Follow-Up: [email protected]
• Research: minerva-labs.com/blog
• Twitter: @MinervaLabs