Thursday, May 7, 2015

Staying up-to-date with Malware Sandbox Detection: About Tinba, Human Behavior and Harddisc Cylinders

Just yesterday F-Secure made a blogpost about a new sample of Tinba that implements a new combinational evasion technique of sandbox systems, which on the one hand checks for human interaction indicators based on mouse movement (using GetCursorPos) and switching active foreground windows (using GetForeGroundWindow), as well as the disc size. Theoretically, all of these sandbox detection techniques are old cake and e.g. part of the 'Pafish' benchmark tool that implements typical evasion techniques:

Disc size check in Pafish (reference)

The new technique implemented by the Tinba sample that F-Secure posted about is that it checks the disc size not in a typical way. It uses the 'IOCTL_DISK_GET_DRIVE_GEOMETRY_EX' control code and counting the number of cylinders, which is a nice low-key way of determining the actual disc size. The structure returned by NtDeviceIoControl using the control code mentioned earlier eventually results in this data structure:


If we can intercept calls to NtDeviceIoControl and spoof the number of Cylinders accordingly, it is possible to make any disc size appear to have an arbitrary size.

As outlined in our noticed blogpost 'Benchmarking some popular public malware analysis services regarding their "Anti-VM" technology' that we posted about in February it is part of our daily job to try to stay up-to-date with sandbox evasive technologies. So that is what we did here.

As VxStream Sandbox runs by default with some 'action scripts' that simulate user behavior the first part of Tinba's sandbox detection was passed to begin with. As we already implement a variety of spoofing techniques it was easy to extend the current engine. Re-running the sample had the desired result: the checks were passed and Tinba starting showing a lot more behavior.

Report of Tinba with the latest VxStream Anti-VM Detection Technology

Additionally, we created a new behavior signature called 'Queries disc information (often used to evade virtual machines)' in order to generically detect this kind of behavior on any sample analyzed in the future.

Report URL: https://www.hybrid-analysis.com/sample/476fc456c66cbec138e3dab72a0f0e54f203dbf27ce88736b1893b668bce63c4?environmentId=1