Slides for my presentation at DCC2016

1. Tamas K Lengyel
@tklengyel
Stealthy,
Hypervisor-based
Malware Analysis

2. #whoami
Open source enthusiast
Maintainer of Xen, LibVMI and
DRAKVUF
PhD from UConn: Malware Collection
and Analysis via Hardware Virtualization

3. Agenda
1. Motivation
2. Anti-sandbox tricks
3. Using a hypervisor for monitoring
4. Mo’ problems!
5. Fixing the problems
6. Mo’ problems!
7. Conclusion

4. An early warning
This presentation will get technical
Don’t be afraid of the assembly
Don’t worry if some of it makes no sense

5. Sandboxes & honeypots
“Let’s just see what happens”
Most of our tools for observing software at
run-time are built with an assumption that
misbehavior is accidental
- Debuggers

6. Stealth
Debuggers were not designed to be
stealthy
Debugged process can detect the
debugger
Observer effect

7. Strings in MultiPlug
$:hash:procexp.exe
$:hash:procmon.exe
$:hash:processmonitor.exe
$:hash:wireshark.exe
$:hash:fiddler.exe
$:hash:vmware.exe
$:hash:vmware-authd.exe
$:hash:windbg.exe
$:hash:ollydbg.exe
$:hash:winhex.exe
$:hash:processhacker.exe
$:hash:hiew32.exe
$:hash:vboxtray.exe
$:hash:vboxservice.exe
$:hash:vmwaretray.exe
$:hash:vmwareuser.exe

8. Some other popular strings
CheckRemoteDebuggerPresent
IsDebuggerPresent
VIRTUALBOX
VBoxGuestAdditions
QEMU
Prod_VMware_Virtual_
XenVMM
MALTEST
TEQUILABOOMBOOM
VIRUS
MALWARE
SANDBOX
WinDbgFrameClass
SAMPLE
https://github.com/Yara-Rules/rules/blob/master/antidebug_antivm.yar

9. AntiCuckoo
Detect & crash the Cuckoo process
- Ouch..
Real malware would probably just falsify
the results to not stand out..
https://github.com/David-Reguera-Garcia-Dreg/anticuckoo

10. ..or not: HackedTeam
https://github.com/hackedteam/scout-win/blob/master/core-scout-win32/antivm.cpp

11. Improving Stealth #1
Move the monitoring component into the
kernel
Windows doesn’t like it if you just
randomly hook stuff (PatchGuard)
What about rootkits?

12. Rootkit problem 2014
http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2014.pdf

13. Rootkit problem 2015
http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-aug-2015.pdf
That’s only about
0.36% of all
malware observed
by McAffee

14. Rootkit problem?
Based on these numbers rootkits may
seem to be not that big of a deal
High cost of development may mean you
don't use one unless you have to
Or are we just bad at detecting them?

15. Improving Stealth #2
Move the monitoring component into a
hypervisor
Harder to detect
Greater visibility
Harder to develop

16. Emulation vs. virtualization
Emulation Pro:
- Easier to monitor
Emulation Con:
- Easy to detect
- Easy to get it wrong
- Unlikely in production environment

17. How to start the malware?
Our goal is to do everything without the
need of an in-guest agent
No startup scripts, no client process
Straight up memory and CPU
manipulation can get us what we need!

18. Done?
Nope
Malware can detect if it’s running in a
virtualized environment
Hypervisors were not designed to be
stealthy either

19. Pafish
https://github.com/a0rtega/pafish

20. CPUID hypervisor guest status
static inline int cpuid_hv_bit() {
int ecx;
__asm__ volatile("cpuid"
: "=c"(ecx)
: "a"(0x01));
return (ecx >> 31) & 0x1;
}

21. CPUID hypervisor guest status
cpuid =
['0x1:ecx=0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx']

22. The fix verified

23. 60GB free disk space?
LVM copy-on-write allows us to quickly
deploy lightweight duplicates
Analysis clones will only use extra space
if they change files
And only as much space as they actually
changed

24. The fix verified

25. Uptime check
int gensandbox_uptime() {
/* < ~12 minutes */
return GetTickCount() < 0xAFE74 ?
TRUE : FALSE;
}

26. Uptime check
Let your VM sit idle for a while, take
memory snapshot
Start each analysis clone by loading this
memory snapshot
Could also just return fake value

27. The fix verified

28. Memory size check
Who uses a machine with <1Gb RAM?
We can increase sandbox memory size
but that limits how many we can run
Xen memory sharing allows CoW!

29. CoW memory

30. CoW memory over time

31. Xen memory-sharing status
It works but it’s very experimental
Original developer no longer around
May not work with other experimental
Xen features

32. CPU count check

33. Multi-vCPU tracing
Particularly challenging due to how
external monitoring is implemented
Easy to end up in a race-condition with
concurrently active CPUs

34. EPT-lookup

35. EPT-lookup
All vCPUs share a single EPT
Standard way hypervisors use EPT

36. Race with multi-vCPU EPT
RACE

37. Some ways around
We can pause CPUs
We can emulate instructions
...or!

38. Xen altp2m

39. Xen altp2m

40. The fix verified

41. I/O activity
It’s all emulated so we could fake it
We could even reconstruct the location of
buttons / pop-ups from memory!
Click on “Install” buttons?
- Doesn’t seem to make much difference
- http://laredo-13.mit.edu/~brendan/BSIDES_NOLA_2015.pdf

42. Other CPUID leaks
hypervisor_id = "XenVMMXenVMM" (0x40000000/ebx-edx)
hypervisor version (0x40000001/eax):
version = 4.6
hypervisor features (0x40000002):
number of hypercall-transfer pages = 0x1 (1)
MSR base address = 0x40000000
MMU_PT_UPDATE_PRESERVE_AD supported = false
vtsc = false
host tsc is safe = true
boot cpu has RDTSCP = true
tsc mode = 0x0 (0)
tsc frequency (kHz) = 3392364
incarnation = 0x1 (1)

43. PCI leaks
00:02.0 VGA compatible controller: Cirrus Logic GD 5446 (prog-if 00 [VGA controller])
Subsystem: Red Hat, Inc QEMU Virtual Machine
Physical Slot: 2
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR-
FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR-
<PERR- INTx-
Latency: 0
Region 0: Memory at f0000000 (32-bit, prefetchable) [size=32M]
Region 1: Memory at f2072000 (32-bit, non-prefetchable) [size=4K]
Expansion ROM at f2060000 [disabled] [size=64K]
Kernel driver in use: cirrus

44. Disk vendor leaks
description: ATA Disk
product: QEMU HARDDISK
physical id: 0.0.0
bus info: scsi@0:0.0.0
logical name: /dev/sda
version: 1
serial: QM00001
size: 93GiB (100GB)
capabilities: partitioned partitioned:dos
configuration: ansiversion=5 logicalsectorsize=512 sectorsize=512 signature=a6b04d21

45. Some more things to look for
Screen resolution
File modification timestamps
Username
Malware executable file-name
GeoIP

46. Telling time

47. Telling time
RDTSC is trappable to the hypervisor
- We could actually fake the value it returns
Not the only way to measure time
- HPET, NTP, covert channels..

48. Discussion
Often-made argument:
Virtualization is so wide-spread,
detection of it may not be indicative of
an analysis environment
It's true.. to an extent!

49. Does malware really care?
Most malware authors are lazy
Why go all this way if you could just..
sleep!
Stalling malware

50. Stalling malware
Halting problem
We can hook Sleep()
We can randomize execution time

51. Advanced Stalling malware
Spam system calls that normally finish
fast
- NtCreateSemaphore
Monitoring incurs overhead on each call
so this will time out the sandbox
http://www.syssec-project.eu/m/page-media/3/hasten-ccs11.pdf

52. Advanced Stalling malware
How to detect syscall spam?
We need some baseline

53. 100k malware syscalls

54. Advanced Stalling malware
Average # of calls of NtCreateSemaphore
- 10
API spamming malware?
- 1
- Calls it 17453 times in 60s

55. Discussion
There is no absolute stealth
Making stealthier tools require malware to
run more checks
But only if our analysis tools span the
entire spectrum

56. Conclusion
No end in sight
Still many low-hanging fruits for malware
to detect
A lot more tools available
We need to use them all or malware
becomes resilient faster

57. Thanks!
Tamas K Lengyel
tamas@tklengyel.com
@tklengyel
LibVMI http://libvmi.com
DRAKVUF http://drakvuf.com

58. References
https://hacktivity.com/en/downloads/archives/429/
https://github.com/Yara-Rules/rules/blob/master/antidebug_
https://github.com/David-Reguera-Garcia-Dreg/anticuckoo
https://github.com/a0rtega/pafish
https://github.com/hackedteam/scout-win/blob/master/core-