Automatic analysis of professional sandbox and malicious samples

Time:2020-10-29

Automatic analysis of professional sandbox and malicious samples

Guide to Yun Mei:
Sandbox, also translated as sandbox, is usually used to provide an isolated running environment for programs with untrusted sources, destructive power or unable to determine their intentions. Even many professional sandboxes are essentially an enhanced virtual machine. Sandbox usually can strictly control all kinds of resources that can be accessed by programs running in sandbox, including: restricting, prohibiting, monitoring access to network, accessing real system, reading input devices, etc. In short, Sandbox can be understood as a collection of virtualization and monitoring means.
Sandbox is a common tool for us to capture malicious attacks and deal with emergency response. This paper will introduce the basic concept of sandbox through several examples, and introduce the construction process of sandbox environment by taking cuckoo as an example. Finally, taking gonnacry ransom software as an example, this paper briefly introduces the enhancement of detection ability and the development process of signature of cuckoo Linux sandbox.

Automatic analysis of professional sandbox and malicious samples

In order to better understand the concept of sandbox, we will analyze several typical sandboxes that we may use in daily life.

Automatic analysis of professional sandbox and malicious samples

Microsoft has added sandbox function in professional edition and enterprise version after windows 10 18305 version. Sandbox can be opened through windows function interface.

Automatic analysis of professional sandbox and malicious samples

It is a kind of safe operation scheme based on Windows container. Its basic structure is shown in the following figure:

Automatic analysis of professional sandbox and malicious samples

Although windows sandbox shares the kernel with the operating system, its access to the kernel is limited. The kernel does not provide all the APIs and services required by the application.
Windows sandbox has the feature of out of the box. We can open a Windows sandbox directly and run the application as if it is local, but we don’t have to worry about damaging the operating system. For example, in our daily use of computers, we inevitably encounter the need to download and execute some application programs with uncertain credibility, run them directly on the computer, worry about poisoning, and the running of virtual machines consumes too much resources. At this time, windows sandbox is a good choice.

Automatic analysis of professional sandbox and malicious samples

Today, PDF has evolved from static pages to composite documents with interactive forms, multimedia content, scripts and other functions. These features make PDF vulnerable to malicious scripts or operations that can steal data or even damage your computer. With enhanced security, you can protect your computer from these threats by prohibiting or selectively allowing operations from trusted locations and files. Adobe reader has added sandbox function in versions after X to mitigate vulnerability exploitation. We can learn from the comparison of the following two pictures to understand the changes in the difficulty of vulnerability exploitation before and after adding sandbox.

Automatic analysis of professional sandbox and malicious samples

Lack of sandbox mechanism in adobe reader 9

Automatic analysis of professional sandbox and malicious samples

The vulnerability exploitation process after adobe reader x is added into sandbox

After the sandbox is added, the code that adobe reader does not trust can be run, but only given lower permissions. When requesting high permission operations, it needs to be completed through another intermediary process. At the same time, many sensitive Windows API calls will be blocked, so as to ensure that adobe reader is not easily exploited. Taking file operation as an example, the typical file operation process is as follows:(1) Call the CreateFile (2) permission to get the file handle (3) to execute the readfile / WriteFile read-write operation.After the sandbox mechanism is added, the program runs in the sandbox process: calling CreateFile directly is prohibited. The file operation needs the broker process to transit, and the mediation process will conduct a series of checks to prevent malicious operations. When all the verifications are passed, the CreateFile is called and the file handle is obtained.

Automatic analysis of professional sandbox and malicious samples

Through these two cases, we have a basic understanding of what sandbox is. In addition, there are some other types of sandboxes with similar basic principles, such as antivirus software sandbox (360 sandbox), browser sandbox (Chrome sandbox, etc.), which will not be introduced here. Let’s talk about the automatic analysis of professional sandbox and malicious samples. This paper takes cuckoo’s Linux sandbox as an example to introduce it (Note: Cuckoo’s windows sandbox is not in the scope of this article, interested friends can go to the Internet to search for relevant articles).

Automatic analysis of professional sandbox and malicious samples

The cuckoo sandbox isAn automated malicious sample analysis system.After submitting suspicious files through web interface or web API provided by sandbox system, Sandbox system can automatically analyze and provide a detailed report to summarize the behavior of the file when executing in sandbox.

Automatic analysis of professional sandbox and malicious samples

Cuckoo is composed of cuckoo host, analysis guests and virtual network. Cuckoo host is the dispatching center, and analysis guest is the sandbox environment of specific execution samples. The two are connected through virtual network card. When the samples are submitted to the cuckoo host, the cuckoo host will schedule an idle analysis guest node and pass the samples to the selected sandbox node for automatic analysis. After the analysis, the analysis data collected by the sandbox node will be summarized, and finally the analysis report will be output.

Automatic analysis of professional sandbox and malicious samples

The underlying layer of cuckoo sandbox is based on virtualization technology and can be constructed by using different virtualization platforms. Currently, the supported virtualization platforms include:VirtualBox、KVM、VMware Workstation、XenServer。

Automatic analysis of professional sandbox and malicious samples

The following installation process is based on VirtualBox virtualization environment and is divided into two parts: host and guest. The experimental environment is as follows:
System release: Ubuntu 18.04
Hardware configuration: 16 core 32g 600g

  • Host installation

– dependent library installation
sudo apt-get install -y python python-pip python-dev libffi-dev libssl-dev
sudo apt-get install -y python-virtualenv python-setuptools
sudo apt-get install -y libjpeg-dev zlib1g-dev swig
– database installation
sudo apt-get install mongodb
– install pydeep
apt-get install -y build-essential git libpcre3 libpcre3-dev libpcre++-dev python-dev libfuzzy-dev
git clone https://github.com/kbandla/pydeep.git
cd pydeep
python setup.py build
python setup.py install
– install VirtualBox
echo deb http://download.virtualbox.org/virtualbox/debian bionic contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list
wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add –
sudo apt-get update
sudo apt-get install -y libpng16-16 libvpx5 libsdl-ttf2.0-0
sudo apt-get install virtualbox
– install tcpdump
apt-get install -y libcap2-bin tcpdump
– install volatility
wget https://downloads.volatilityfoundation.org//releases/2.6/volatility_2.6_lin64_standalone.zip
unzip volatility_2.6_lin64_standalone.zip
M2crypto installation
sudo apt-get install -y swig
sudo pip install m2crypto
– installing guacd
sudo apt install -y libguac-client-rdp0 libguac-client-vnc0 libguac-client-ssh0 guacd
– install cuckoo
$ virtualenv venv
$ . venv/bin/activate
(venv)$ pip2 install -U pip setuptools
(venv)$ pip2 install -U cuckoo
After successful installation, it is shown in the following figure:

Automatic analysis of professional sandbox and malicious samples

  • Guest installation

– install dependency Libraries
sudo apt-get install systemtap gcc patch linux-headers-$(uname -r)
– patch systemtap script
$ wget https://raw.githubusercontent.com/cuckoosandbox/cuckoo/master/stuff/systemtap/expand_execve_envp.patch
$ wget https://raw.githubusercontent.com/cuckoosandbox/cuckoo/master/stuff/systemtap/escape_delimiters.patch
$ sudo patch /usr/share/systemtap/tapset/linux/sysc_execve.stp < expand_execve_envp.patch
$ sudo patch /usr/share/systemtap/tapset/uconversions.stp < escape_delimiters.patch
– compiling kernel extensions
$ wget https://raw.githubusercontent.com/cuckoosandbox/cuckoo/master/stuff/systemtap/strace.stp
$ sudo stap -p4 -r $(uname -r) strace.stp -m stap_ -v
$ sudo staprun -v ./stap_.ko
$ sudo mkdir /root/.cuckoo
$ sudo mv stap_.ko /root/.cuckoo/
– turn off the firewall and NTP
sudo ufw disable
sudo timedatectl set-ntp off
After the environment is installed, you can start the cuckoo scheduling process and web services
cuckoo -d
cuckoo web runserver 192.168.1.15:80

Automatic analysis of professional sandbox and malicious samples

Automatic analysis of professional sandbox and malicious samples

The Linux sandbox of cuckoo is analyzed from three dimensions

  • Syscall call call monitoring
    The system call is monitored through systemtap.
  • Memory analysis
    The process memory is analyzed by volatility and Yara
  • Network behavior analysis
    The network traffic is analyzed by snort

Next, combined with an actual case, this paper introduces in detail how to use systemtap to monitor system calls and develop a detection strategy to detect malicious samples.
Systemtap is a tool for tracking and probing. It can provide output information similar to netstat, PS, top and iostat, but it can provide more powerful tracking and detection capabilities than these tools.
Systemtap is a framework, and the specific analysis logic needs to pass theSystemtap script implementation。 The systemtap script consists of two parts:eventsandhandlersThat is, the event and the corresponding handler. Events and their corresponding handlers are called probes. A systemtap script can have multiple probes. The following figure shows the probes used to monitor system calls in cuckoo.

Automatic analysis of professional sandbox and malicious samples

This code is used to monitor and obtain the syscall called by the malicious sample process and its subprocesses, as well as the parameters and return values of the related syscall.
Correspondingly, the execution process of systemtap script is as follows:
1) Systemtap checks whether the dependent Library of the script exists (usually in / usr / share / systemtap / tapset /). Systemtap will replace the tapset in the script with the corresponding definition in the tapset library.
2) Systemtap converts scripts into C language and compiles them into kernel modules through C compiler. (the systemtap installation package contains the tools needed for this step)
3) Systemtap loads the kernel module. After that, all probes (events and handlers) defined in the script take effect. This step is implemented through the staprun in systemtap runtime.
4) When the event is triggered, the corresponding handlers are executed.
5) At the end of the systemtap session, the probe automatically fails and the kernel module is unloaded.
So far, we have an overall understanding of the process of cuckoo monitoring syscall through systemtap. Systemtap will return the collected syscall and its parameter return values to cuckoo in the form of a report. The analysis system of cuckoo can analyze the report. Users can analyze the results collected by systemtap by adding a signature.
Take the analysis of the ransomware gonnacry as an example. The following figure shows a series of operations of the ransom software gonnacry before performing encryption operations. Because its encryption depends on the encryption and decryption library libcrypto installed on the system, it will search the common installation location of libcrypto for this library.

Automatic analysis of professional sandbox and malicious samples

We can add a policy to record systemtap’s record of the operation and mark the operation as malicious.

Automatic analysis of professional sandbox and malicious samples

When the strategy is hit many times in the process of sandbox running, the sample to be analyzed can be basically determined to search on the system libcrypto.so At this time, we can combine other detection strategies to improve the detection accuracy of malicious samples.
The detection results are as follows:

Automatic analysis of professional sandbox and malicious samples

Automatic analysis of professional sandbox and malicious samples

[read the original]