Thursday, May 21, 2015

Improved PDF analysis and Windows 10 Preview

Today we made another 'technological leap' with VxStream Sandbox related to PDF analysis. As most of you surely know, PDF phishing campaigns are a very popular attack vector (invoice/mail tracking PDF with a link to the malicious file). The new version of VxStream is capable of parsing PDF file structure and pulls out URLs it finds. Not only that, but it will also download files at the URLs and execute them if they are supported by the environment. If the downloaded file is a zip archive, it will even unpack it before analysis. Sounds good? :) It is!

Anyway, the feature is very new and does not work with the 'Stealthy Mode' yet, so you may have mixed experiences. The online service is updated with it and here is a first report of a PDF file that ran with the new feature:

 

Please take note of three things:
  1. The signature 'The input sample dropped a file that was identified as malicious' (that's the .exe file behind the malicious URL)
  2. The signature 'Found potential URL in binary/memory', which contains the malicious URL (it's still online, so beware; hxxp://www.sarnfields.co.uk/mcP5sr8XS4)
  3. The dropped file was actually executed (see 'Hybrid Analysis' section, click on the process)
The sample is available for download at the report (see link at the top)
SHA256: 11edf9436a9205c88c2a815cf6ebfb0a7a42eb150a2649766b3bb30350ee35ed

Windows 10 Insider Preview

Another part we have been working on (but not on the public servers yet) is Windows 10 compatibility. Here is a first run of the latest benchmark tool 'Pafish' on Windows 10 'Insider Preview':


The new background image is really cool, don't you think? :-)

Thursday, May 7, 2015

Staying up-to-date with Malware Sandbox Detection: About Tinba, Human Behavior and Harddisc Cylinders

Just yesterday F-Secure made a blogpost about a new sample of Tinba that implements a new combinational evasion technique of sandbox systems, which on the one hand checks for human interaction indicators based on mouse movement (using GetCursorPos) and switching active foreground windows (using GetForeGroundWindow), as well as the disc size. Theoretically, all of these sandbox detection techniques are old cake and e.g. part of the 'Pafish' benchmark tool that implements typical evasion techniques:

Disc size check in Pafish (reference)

The new technique implemented by the Tinba sample that F-Secure posted about is that it checks the disc size not in a typical way. It uses the 'IOCTL_DISK_GET_DRIVE_GEOMETRY_EX' control code and counting the number of cylinders, which is a nice low-key way of determining the actual disc size. The structure returned by NtDeviceIoControl using the control code mentioned earlier eventually results in this data structure:


If we can intercept calls to NtDeviceIoControl and spoof the number of Cylinders accordingly, it is possible to make any disc size appear to have an arbitrary size.

As outlined in our noticed blogpost 'Benchmarking some popular public malware analysis services regarding their "Anti-VM" technology' that we posted about in February it is part of our daily job to try to stay up-to-date with sandbox evasive technologies. So that is what we did here.

As VxStream Sandbox runs by default with some 'action scripts' that simulate user behavior the first part of Tinba's sandbox detection was passed to begin with. As we already implement a variety of spoofing techniques it was easy to extend the current engine. Re-running the sample had the desired result: the checks were passed and Tinba starting showing a lot more behavior.

Report of Tinba with the latest VxStream Anti-VM Detection Technology

Additionally, we created a new behavior signature called 'Queries disc information (often used to evade virtual machines)' in order to generically detect this kind of behavior on any sample analyzed in the future.

Report URL: https://www.hybrid-analysis.com/sample/476fc456c66cbec138e3dab72a0f0e54f203dbf27ce88736b1893b668bce63c4?environmentId=1

Tuesday, May 5, 2015

Technology Boost: introducing 'Stealthy Mode' monitor engine and Single-File HTML Reports

today is a big release day with two new major features that we worked on over the past 9-10 months, which are also available on our online webservice at http://www.hybrid-analysis.com right now.

Kernelmode Monitor

You can now chose a 'Stealthy Mode' environment, which is a completely new monitoring technology that leaves the malware sample untampered. Basically, a lot of sandbox systems and even AV products (see this blogpost: http://rce.co/why-usermode-hooking-sucks-bypassing-comodo-internet-security/) rely on injecting and tampering with processes in userland. With the new 'Stealthy Mode' of VxStream Sandbox the sample is executed untampered and observed from the operating system level, which is far less detectable. Our new technology is a milestone and takes VxStream to a level that is only matched by very few competitors on the market.

Note: choose the W7 32 bit 'Stealthy Mode' environment upon submission to try it out

Of course, we still do memory dumps of the analyzed processes so that the reports benefit from Hybrid Analysis technology. Essentially, you will not notice much difference between the usermode and kernelmode monitor, except that certain specific malware samples that are aware of their memory image tampering will run a lot better under 'Stealthy Mode'. Also, the new kernelmode monitor comes with some basic anti-VM detection technology just like the usermode monitor.



The above picture is taken from a sample report running the known 'Pafish' benchmark (v0.4) with the new kernelmode monitor: https://www.hybrid-analysis.com/sample/bf0bbd28deed92fbd9f974e63336c2a4185a07ed19c578a37885d351134c0182/?environmentId=4

Single-File HTML Reports

It is now possible to 'persist' and download single-file HTML reports for any analysis report generated as-of now. This is another feature we have been working on and the HTML reports are generated based off of the XML reports and completely separate from the online reports (which are just a view on JSON documents stored in a MongoDB). The HTML reports are nice, if you want to share or keep a report. It is not as complete as the online reports yet, but also contains a few other details (such as the exact VT results).


Sample HTML report hosted at our company site: here
Corresponding Hybrid-Analysis.com report: here

Of course, we will be extending and working on both of these two new code 'projects' over the coming months, so stay tuned.

// EOF

 

It is possible to license VxStream Sandbox and run it on-premise

If you are interested in licensing the full version of VxStream Sandbox (includes the web application to run your own service, an API, the runtime monitor, the load balancing controller, hybrid analysis technology, report generator, all behavior signatures, scripts, etc.) or have any questions, please use our contact form and get in touch. We have a very simple licensing structure and additional options. If you are interested in a demo, try out our free malware analysis service at hybrid-analysis.com.