SlideShare a Scribd company logo

How to convince a malware to avoid us

C
Csaba Fitzl

This document discusses how malware authors try to detect analysis environments like sandboxes, virtual machines, and debuggers in order to avoid analysis. It presents real world malware examples that use these detection techniques. The document then proposes potential "vaccination" techniques to emulate unhealthy environments in order to trick malware into thinking it is not being analyzed, making the researcher's job easier. It showcases some proof-of-concept tools developed by the author for this purpose, including tools to fake the presence of virtual machines and debuggers. Challenges with vaccination techniques are also discussed.

Presentations & Public Speaking
Related topics:
Information SecurityReverse Engineering Incident Response
1 of 40
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
How to convince a malware to avoid us? Csaba Fitzl
whoami blue teamer security researcher, blogger certification monkey husband, father hiker
What is this talk about?
How to convince a malware to avoid us
Agenda part #1 - What malware authors afraid of and how they detect it? part #2 - Real world examples part #3 - My POC tools for vaccination
What malware authors are afraid of?
security researchers sandboxes virtual machines hardened machines => malware hates being analyzed also tries to avoid certain targets
How they detect it?
Debuggers IsDebuggerPresent PEB!IsDebugged PEB!NtGlobalFlags OutputDebugString timing (RDTSC) self debug INT3 actual windows names etc…
Virtual machines look for artifacts in: registry file system processes MAC address… VMware I/O ports red pill
Sandboxes screen resolution (low) installed software (limited) number of cores memory desktop etc… ref: Zoltán Balázs – Sandbox detection for the masses: leak, abuse, test
Antivirus registry file system antivirus product registered
Real world samples
How to convince a malware to avoid us
048fc07fb94a74990d2d2b8e92c099f3f986 af185c32d74c857b07f7fcce7f8e Word dropper sandbox detection Public Sub IuIxpP() If DKTxHE Then Error 101 If qrNjY Then Error 102 (…) Public Function DKTxHE() As Boolean DKTxHE = RecentFiles.Count < 3 End Function
demo time
c279165952de10a5f715df706da26b2d5a57cc 50e49dcab74fc91dba2ce1408b generic trojan checks for plenty of analysis SW checks for anti malware
demo time
ca7cb56b9a254748e983929953df32f219905f 96486d91390e8d5d641dc9916d Teslacrypt antivirus detection
demo time
Today’s research
What is in the focus? mainly about hiding analysis tools e.g.: zer0fox ease researcher’s job verify environment - pafish
How about vaccination? let’s try to emulate ‘unhealthy’ environment less researched malware might avoid us
Previous research White Paper Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware, 2008 Rapid7 Vaccinating systems against VM-aware malware, 2013 Gal Bitensky Demo Vaccination The Anti-Honeypot Approach, 2016 various tools against specific malware
My PoC tools
How to convince a malware to avoid us
tool #1: fakevm kernel driver w/ SSDT hooking up to Win7 x86 can emulate VBOX / VMWARE files & registry keys easy to extend w/ other keys, files
demo time
tool #2: FakeDebuggerWindows simple Windows app creates a window, and doesn’t show it no conflict with other windows
demo time
tool #3: mutex-grabber monitor malwr.com for mutexes dynamically add them to the system allows whitelisting saving / loading files
demo time
Challenges software compatibility does normal sw care about VM / debuggers? system resources low level vaccination? needs to be done in clever way (e.g.: machine can’t be VBOX and VMware at the same time)
Any production grade solution?
HitMan Pro Alert uses vaccination other interesting protections as well tested w/ Pafish
demo time
Minerva Labs sw dedicated for vaccination claims to stop many malware these days
Conclusion
interesting area it is effective against malware should be more commonly researched could have two long term effects malware stop caring about VM, etc.. -> this method won’t be effective, but analysis might be easier everything stays -> we can protect against malware
? twitter: @theevilbit tools: https://github.com/theevilbit/vaccination

More Related Content

PDF
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
PDF
Getting root with benign app store apps
Csaba Fitzl
 
PDF
Exploiting Directory Permissions on macOS
Csaba Fitzl
 
PDF
Mitigating Exploits Using Apple's Endpoint Security
Csaba Fitzl
 
PDF
Exploiting XPC in AntiVirus
Csaba Fitzl
 
PDF
GateKeeper - bypass or not bypass?
Csaba Fitzl
 
PDF
20+ Ways To Bypass Your Macos Privacy Mechanisms
SecuRing
 
PPTX
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
Getting root with benign app store apps
Csaba Fitzl
 
Exploiting Directory Permissions on macOS
Csaba Fitzl
 
Mitigating Exploits Using Apple's Endpoint Security
Csaba Fitzl
 
Exploiting XPC in AntiVirus
Csaba Fitzl
 
GateKeeper - bypass or not bypass?
Csaba Fitzl
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
SecuRing
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 

What's hot (20)

PDF
Windows attacks - AT is the new black
Chris Gates
 
PDF
Windows Attacks AT is the new black
Rob Fuller
 
PDF
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
PPTX
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
PDF
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 
PPTX
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
PDF
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
PDF
Jump into Squeak - Integrate Squeak projects with Docker & Github
hubx
 
PDF
Appsec DC - wXf -2010
Chris Gates
 
PDF
Writing malware while the blue team is staring at you
Rob Fuller
 
PDF
Attacking Oracle with the Metasploit Framework
Chris Gates
 
PPTX
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
PPTX
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 
PDF
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Chris Gates
 
PPTX
Defcon - Veil-Pillage
VeilFramework
 
PPT
RIT 2009 Intellectual Pwnership
Rob Fuller
 
PDF
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
PPTX
Wielding a cortana
Will Schroeder
 
PPTX
Everyone Matters In Infosec 2014
Micah Hoffman
 
PPTX
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
Windows attacks - AT is the new black
Chris Gates
 
Windows Attacks AT is the new black
Rob Fuller
 
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
Jump into Squeak - Integrate Squeak projects with Docker & Github
hubx
 
Appsec DC - wXf -2010
Chris Gates
 
Writing malware while the blue team is staring at you
Rob Fuller
 
Attacking Oracle with the Metasploit Framework
Chris Gates
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Chris Gates
 
Defcon - Veil-Pillage
VeilFramework
 
RIT 2009 Intellectual Pwnership
Rob Fuller
 
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
Wielding a cortana
Will Schroeder
 
Everyone Matters In Infosec 2014
Micah Hoffman
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
Ad

Similar to How to convince a malware to avoid us (20)

PDF
Understand study
Antonio Costa aka Cooler_
 
PPTX
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
PDF
Bypassing Antivirus for effective security
ArafatAshrafiTalha
 
PDF
Malware Evasion Techniques
Thomas Roccia
 
PDF
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Akmal Hisyam
 
PDF
Breaking av software
Joxean Koret
 
PDF
Breaking av software
Thomas Pollet
 
PDF
Breaking Antivirus Software
rahmanprojectd
 
PDF
Identifying, Monitoring, and Reporting Malware
Teodoro Cipresso
 
PPTX
Two-For-One Talk: Malware Analysis for Everyone
Paul Melson
 
PDF
SANS Digital Forensics and Incident Response Poster 2012
Rian Yulian
 
PPT
Rootkit Hunting & Compromise Detection
amiable_indian
 
DOC
Web virus activity
Sim_Dhillon
 
PDF
Ceh v8 labs module 07 viruses and worms
Mehrdad Jingoism
 
PDF
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 
PPT
Antiviruse.ppt
AthiraKrishnan57
 
PDF
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
DOCX
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
PPTX
Intro to Malware Analysis
wremes
 
PPSX
Computer viruses
Yousef Bahaa
 
Understand study
Antonio Costa aka Cooler_
 
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
Bypassing Antivirus for effective security
ArafatAshrafiTalha
 
Malware Evasion Techniques
Thomas Roccia
 
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Akmal Hisyam
 
Breaking av software
Joxean Koret
 
Breaking av software
Thomas Pollet
 
Breaking Antivirus Software
rahmanprojectd
 
Identifying, Monitoring, and Reporting Malware
Teodoro Cipresso
 
Two-For-One Talk: Malware Analysis for Everyone
Paul Melson
 
SANS Digital Forensics and Incident Response Poster 2012
Rian Yulian
 
Rootkit Hunting & Compromise Detection
amiable_indian
 
Web virus activity
Sim_Dhillon
 
Ceh v8 labs module 07 viruses and worms
Mehrdad Jingoism
 
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 
Antiviruse.ppt
AthiraKrishnan57
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
Intro to Malware Analysis
wremes
 
Computer viruses
Yousef Bahaa
 
Ad

More from Csaba Fitzl (7)

PDF
The Final Chapter - Unlimited Ways to Bypass Your macOS Privacy Mechanisms
Csaba Fitzl
 
PDF
Launch and Environment Constraints Overview
Csaba Fitzl
 
PDF
macOS Vulnerabilities Hiding in Plain Sight
Csaba Fitzl
 
PDF
SecurityFest-22-Fitzl-beyond.pdf
Csaba Fitzl
 
PDF
Csaba fitzl - Mount(ain) of Bugs
Csaba Fitzl
 
PDF
Exploit generation and javascript analysis automation with WinDBG lu
Csaba Fitzl
 
PDF
Exploit generation automation with WinDBG (Hacktivity 2017)
Csaba Fitzl
 
The Final Chapter - Unlimited Ways to Bypass Your macOS Privacy Mechanisms
Csaba Fitzl
 
Launch and Environment Constraints Overview
Csaba Fitzl
 
macOS Vulnerabilities Hiding in Plain Sight
Csaba Fitzl
 
SecurityFest-22-Fitzl-beyond.pdf
Csaba Fitzl
 
Csaba fitzl - Mount(ain) of Bugs
Csaba Fitzl
 
Exploit generation and javascript analysis automation with WinDBG lu
Csaba Fitzl
 
Exploit generation automation with WinDBG (Hacktivity 2017)
Csaba Fitzl
 

Recently uploaded (20)

PPTX
INTERNATIONAL LABOUR ORAGNISATION PPT ON SOCIAL SCIENCE
AbinayaaAnbazhakan
 
PPTX
Role and Responsibilities of Bangladesh Coast Guard Base, Mongla Challenges
Tasnim Alam Safin
 
PPTX
Hydrogel Based delivery Cancer Treatment
sgsayan31
 
PPTX
Anesthesia and it's stage with mnemonic and images
panchalkhushal24
 
PPTX
Non-Verbal-Communication .mh.pdf_110245_compressed.pptx
ansarihussainh
 
PPTX
worship songs, in any order, compilation
wilmalenetoledo
 
PPTX
Intro to ISO 9001 2015.pptx wareness raising
nadianisar5
 
PPTX
Human Mind & its character Characteristics
peterjoekari
 
PPTX
ART-APP-REPORT-FINctrwxsg f fuy L-na.pptx
ajp27480
 
PDF
Nykaa-Strategy-Case-Fixing-Retention-UX-and-D2C-Engagement (1).pdf
VaibhavBansal926958
 
PPTX
Emphasizing It's Not The End 08 06 2025.pptx
FamilyWorshipCenterD
 
PPTX
An Unlikely Response 08 10 2025.pptx
FamilyWorshipCenterD
 
PDF
Presentation1 [Autosaved].pdf diagnosiss
moibrahim20044
 
PPTX
The Effect of Human Resource Management Practice on Organizational Performanc...
wemasterconstruction
 
PPTX
Impressionism_PostImpressionism_Presentation.pptx
PrincessJazminAligan
 
PPTX
BIOLOGY TISSUE PPT CLASS 9 PROJECT PUBLIC
iamsrinjandatta
 
PPTX
Learning-Plan-5-Policies-and-Practices.pptx
judekimwellnombre15
 
PDF
Instagram's Product Secrets Unveiled with this PPT
mainikunal09
 
PPTX
Primary and secondary sources, and history
valenciamarcchristia
 
DOCX
"Project Management: Ultimate Guide to Tools, Techniques, and Strategies (2025)"
Myplanningtemplates
 
INTERNATIONAL LABOUR ORAGNISATION PPT ON SOCIAL SCIENCE
AbinayaaAnbazhakan
 
Role and Responsibilities of Bangladesh Coast Guard Base, Mongla Challenges
Tasnim Alam Safin
 
Hydrogel Based delivery Cancer Treatment
sgsayan31
 
Anesthesia and it's stage with mnemonic and images
panchalkhushal24
 
Non-Verbal-Communication .mh.pdf_110245_compressed.pptx
ansarihussainh
 
worship songs, in any order, compilation
wilmalenetoledo
 
Intro to ISO 9001 2015.pptx wareness raising
nadianisar5
 
Human Mind & its character Characteristics
peterjoekari
 
ART-APP-REPORT-FINctrwxsg f fuy L-na.pptx
ajp27480
 
Nykaa-Strategy-Case-Fixing-Retention-UX-and-D2C-Engagement (1).pdf
VaibhavBansal926958
 
Emphasizing It's Not The End 08 06 2025.pptx
FamilyWorshipCenterD
 
An Unlikely Response 08 10 2025.pptx
FamilyWorshipCenterD
 
Presentation1 [Autosaved].pdf diagnosiss
moibrahim20044
 
The Effect of Human Resource Management Practice on Organizational Performanc...
wemasterconstruction
 
Impressionism_PostImpressionism_Presentation.pptx
PrincessJazminAligan
 
BIOLOGY TISSUE PPT CLASS 9 PROJECT PUBLIC
iamsrinjandatta
 
Learning-Plan-5-Policies-and-Practices.pptx
judekimwellnombre15
 
Instagram's Product Secrets Unveiled with this PPT
mainikunal09
 
Primary and secondary sources, and history
valenciamarcchristia
 
"Project Management: Ultimate Guide to Tools, Techniques, and Strategies (2025)"
Myplanningtemplates
 

How to convince a malware to avoid us