When you, your co-worker or family member are infected with the latest ransomware, it is the “successful” end of a multi-party complex venture. Cybercrime nowadays is not a single genius guy sitting in his parents’ garage – it's an enterprise. It has the equivalents of CEO, CFO, COO, and CTO. As an example, you may think about a ransomware campaign, the attacker needs to:
- Create and test the ransomware
- Buy and set up anonymous C2 web servers
- Purchase or develop a way to distribute it
- Recruit and orchestrate money mules to cash out the paid ransom
It has become easier and easier to write malware, and as a result, more and more groups are fighting to increase their “market share.” Being a leading cybergang is not a walk in the park; it requires bad guys to optimize their malicious campaigns. One of the most popular methods to maximize the effectiveness of a malware campaign is to avoid specific “danger zones” where the malware can be detected, analyzed and quickly signed. This post will explain how bad guys implement this approach and how it can be used against them, abusing their own paranoia to prevent malware infection.
Malware Paranoia 101
There are many conventional defenses that should protect us from the “products” of cybercrime enterprises – firewalls, AVs and others. Those are not bad in handling most of the threats most of the time, yet attackers need to find only a single hole – and it is a doable task if they do their homework. So, what can be done in response? I believe in combining traditional and innovative solutions hand-in-hand with the aforementioned ones. And by innovative, I do not mean more of the same “new technologies” that still have the same issues with attackers adapting to their signatures (or classifiers…). What I believe to be a true paradigm shift is vaccination. I define it as creating indicators that cause malware to avoid specific endpoints due to its hard-coded logic, as opposed to when there is a man behind the malware. (Due disclosure: I am working for a company implementing a commercial vaccination product). I identify five different “fear classes” of malware that can be used against it to vaccinate an endpoint:
- Automatic analysis environments – e.g. sandboxes
- Malware analysts – debugging, decompiling and sniffing it
- Security products – malware creators check prior to the attack how they perform against AVs. If they evade 95 percent of them, they will simply terminate if the remaining 5 percent are detected before deploying the main payload.
- Themselves – most malware won’t infect the same machine twice. Consider the unwanted scenario where ransomware has two running instances, for example.
- Target audience – sometimes malware will simply avoid or on the contrary focus specific “target audience.” For example, the original Petya ransomware won’t infect endpoints if you have a Cyrillic keyboard or Russian IP.
In all those cases, the methodologies used to detect an unwanted or even hostile environment are quite the same. The malware performs tests searching after hints of a VM that is often used for both automatic and manual malware analysis, direct indicators of analysis tools, or any other entity it wishes to avoid. I classify the footprints that may be searched into three groups:
- Static artifacts – files, folders and registry keys\values, hostname, e.g. the file C:\Widnows\System32\VBoxMRXNP.dll, associated with Oracle’s VirtualBox VM infrastructure
- Dynamic artifacts – running processes, opened windows, mutexes, logged in user, e.g. the process wireshark.exe
- Low-level indicators – abusing x86 instructions, race conditions, and special locations of artifacts in the memory when running a VM. Joanna Rutkowska’s Red Pill is the best example for such technique.
From my experience, the first genre of tests is the best for attackers to use. It is robust, time insensitive, and offers many artifacts to search. The other approaches might result in false positives or false negatives quite often. Some even considered as malicious behavior will cause the detection of the malware. Fortunately, creating static indicators of VM, sandbox and forensic analysis tools is also the easiest for the defenders.
DIY Vaccination
Emulating a VM for low-level x86 tricks is complex, but it is an overkill. Most malware will perform lengthy list of tests and will avoid the more suspicious ones anyway. One may create the impression that VM indicators are present on an endpoint simply by creating some files or rename cmd.exe and run a dozen of those instances renamed as “wireshark.exe.” When a malware tests if indicators for a hostile environment are present, it will find the fake files, folders and other artifacts created by the defender and terminate. I have written and released an open source tool which performs this, freely available here: https://github.com/G4lB1t/Need-less It includes a collection of static and dynamic indicators that were proved as real life-savers in the fight against malware. Creating these artifacts can prevent a wide range of threats – not only ransomware but also exploit kits, RATs, banking Trojans, and other malware types.
Money, Time and Types of Actors
As discussed above, creating cleverly crafted indicators deters cyber crooks but is it effective against other types of actors? Is it effective against state-sponsored adversaries, as well? And against your friendly-neighborhood-script-kiddie? There is no single answer to this question. Instead, we should ask ourselves about the motivations and skill-set of an attacker. In the case of well-funded state-sponsored actor, unlike cybercriminals, money and profit are no longer an issue. However, other factors may influence their decision making – making vaccination effective against them, as well:
- Time – a resource that even money can’t buy. State-sponsored APT requires considerable time to properly develop, test and deploy. If it will be quickly detected and analyzed, its creators won’t be able to collect intelligence from their target or to develop their next generation of malware.
- Foreign affairs – the DNC hack is a good example for a case where even a superpower tried to deny any link to a cyber-attack for political reasons. To this day, Russia denies any link to the Cozy and Fancy Bear APT campaign, preventing major deterioration in the already fragile relations with the United States.
This is the case for clever APTs but what about another type of actor who is not limited by money, time and foreign affairs? Script kiddies. Entry-level attackers do not care about money, time, or international relations, making vaccination un-effective against them. However, here comes the approach of combining multiple types of defenses handy. Basic malware that lacks evasive properties is exactly where AVs excel, leaving our endpoint safe from any harm – sophisticated or not.
About the Author: Gal Bitensky is a 29-year-old geek from Tel-Aviv and breaker of stuff. Currently working as a senior malware psychologist in the Israeli start-up Minerva Labs, he is experienced in various fields, ranging from web application security and Windows internals to SCADA. Fluent in exotic languages like PHP, LISP and Arabic, Gal is an advocate of simple and effective solutions. You can follow him on Twitter and LinkedIn. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
