The issue of customizing sandbox images has been relevant since their inception. The first versions of such programs were internal solutions of information security companies, but even then there was a need for painstaking tuning of isolated machines. And it was not only the installation of auxiliary software for monitoring the state of the system.
Even 10 years ago, the logic of collecting and processing environmental characteristics was embedded in malicious samples: username and computer, home or corporate domain, administrator rights, language layout, number of processor cores, version of the operating system, the presence of antivirus software, signs of virtualization, and even system updates. To date, the number of parameters and methods for obtaining them has only increased.
Sandbox Bypass Malware Techniques
At first, the approach was fairly straightforward: if the malware checks the user with the name test, then we’ll call him John; if we use the registry key SYSTEM CurrentControlSet Enum SCSI Disk & Ven_VMware_ & Prod_VMware_Virtual_S to find out if we are in a virtual environment, then (if possible) we will replace the key or the returned results by intercepting the call. As a result of numerous studies, a certain knowledge base of detection bypass methods was recruited, which was then used to set up the environment. Years passed, virus writers (and not only) increasingly began to use this knowledge in their work, which ultimately led to the following.
The question “Is this a research environment?” was replaced by “Is the environment interesting?” And the interest is not in finding traces of some FTP client for subsequent data theft. Now if this is a car accounting officerthat uses specific software is then another matter. There are other approaches: infect the user with a lightweight bootloader that collects all the necessary information about the system, sends it to the management server and … does not receive the payload in response. Unknown server logic has decided that this victim is not of interest.
So we see: sandboxes, configured by default, are not an effective solution for business. Attackers are increasingly relying not on self-defense against detection, but on narrowing the range of searches for interesting targets for the further development of the attack.
How do we fight them?
In simple words, we offer to make a unique image of an isolated environment. The goal is to recreate an environment as similar as possible to an employee’s workstation, with access attractive to attackers: a finance department, a build server for continuous integration during development, a web server, a domain administrator’s machine, and, finally, a CEO’s station.
Of course, for such a task, you can release a number of blanks with the appropriate software “on board”, but then you need to start them with specific data that corresponds to a particular organization: the domain name, the resources or applications used, the names and contents of working documents – the more nuances, the better . Sometimes the environment needs to be finely tuned, up to the system update versions and patches. In the simplest case, the image can be made simply “full of holes.” However, if your IT infrastructure park is not older than certain versions, this can also be taken into account and eliminated many irrelevant penetration vectors using a certain number of vulnerabilities.
As a result, we get an image that is unknown to virus writers, is really of interest to them, and thereby greatly increase the likelihood of detecting a targeted attack.
Why do I need to emulate the work of a “live” computer?
Emulation of user actions is a must-have, without which the sandbox loses its effectiveness. In some cases, the absence of actions will lead to detection of the presence in the sandbox: for example, if the mouse cursor does not change its position for a long time, new windows do not appear, applications are not terminated or too few are launched, if new files do not appear in temporary directories, no network activity. In other situations, this will affect the operation of the malware itself: for example, to run it, the user’s consent is required to include macros in the office document, or the Trojan will show an intermediate dialog box in which it will be necessary to agree with something (or from something refuse) to continue his work.
Sometimes insignificant actions are simply necessary: the user must open some document and write something down or copy the password to the clipboard for further input – it is precisely at such moments that a spy trojan can work, which will intercept important data and send it to its author’s server.
How is this done with us?
Our solution is gradually being replenished with new actions that emulate the work of a living user. Of course, the predefined sequences of planned events of any complexity can never be compared with the variety of real use. We continue to research and improve this side of the product, increasing its effectiveness.
In addition to the above functions, it is worth noting a fundamental feature: our sandbox belongs to the class of agentless ones. In most solutions, there is an auxiliary agent inside the virtual machine, which is responsible for managing the state of the system, receiving and transmitting interesting events and artifacts to the host server. Despite the advantages in monitoring and the clear principle of interaction between the host and guest machines, this solution has a significant drawback: the need to hide and protect objects associated with the agent from malware. In the case when there is no event provider, the question arises: how, then, to get information about what is happening inside the virtual machine?
For this we use technology Extended Page Table (EPT) Intel Corporation. It represents intermediate memory pages that are located between the guest physical memory and the host physical memory. In short, this allows you to do the following:
- examine the display of the memory pages of the guest machine;
- highlight interesting sections (for example, containing addresses or code of nuclear functions);
- mark the selected pages so that the access rights to the memory pages in the EPT do not coincide with the access rights to the pages in the guest machine;
- to catch the appeal to the marked-up sections of memory (at this moment an access error (#PF) will occur, as a result, the guest machine will be suspended);
- analyze the state, extract the necessary information about the event;
- re-layout the memory page in the correct state;
- restore the guest machine.
Monitoring everything that happens is carried out outside the isolated machine. The malware that is inside cannot detect the fact of observation.
Running a sample in the sandbox and analyzing its behavior is just one of the components of a complex product. After starting, the process memory is scanned for malicious code, network activity is recorded, which is then analyzed using more than 5000 detection rules. In addition, it is possible to decrypt secure interactions.
All indicators of compromise (IOC), which were identified in the research process, are checked by reputation lists. Before undergoing dynamic analysis, the sample is sent for static processing: it is prefiltered on several antiviruses and scanned by our own engine with detection rules from specialists security expert center (PT Expert Security Center). We use a comprehensive examination, including to identify anomalies in meta-information and embedded artifacts of the sample.
What tasks does PT Sandbox do best and why?
PT Sandbox combines the knowledge and experience of several teams and products to counter targeted attacks. Despite the fact that the product can be used in the mode of countering threats (prevention), it is still primarily a means of monitoring (detection) the security of IT systems. The key difference from the classic endpoint protection solutions is that PT Sandbox’s task is to pay attention to anomalies and register a previously unknown threat.
Author: Alexey Vishnyakov, Senior Specialist, Threat Technologies Research Group Positive Technologies