Last week, Guy wrote a nice diary to explain how to easily deploy IRMA to analyze suspicious files. Having a good tool to work on files locally is always interesting for multiple reasons. You are doing some independent research, you don't always have a safe Internet connectivity or you simply don't want to generate some traffic that could ring a bell at the attacker's side. By "safe" connectivity, I mean a "dirty Internet" connectivity (like a DSL residential line) to bypass the corporate infrastructure. Locally running tools are also a nice way to prevent files to be sent to cloud services. This applies not only to bad guys but also to pentesters who are preparing their attacks and generate targeted samples (think about the Veil framework)
If tools like IRMA or Cuckoo are good tools, they must be adapted and tuned to your own environment because running them out of the box will not produce the best results. Nothing against free tools, the same problem affects commercial products. They are delivered with standard sandboxes mimicking classic setup (WinXP, Win7, ...) but each organization has its own "image" to deploy workstations with, sometimes, very tricky configurations.
For a while, malware developers know that their software will be analyzed and tortured by such tools. To prevent this, they are trying to detect as soon as possible in which environment they are running. The key question is: Is the malware executed on a real victim's computer or in a sandbox? If the malware detects to be running in a sandbox, its behavior will change. Some will simply terminate themselves, others could have be "funny" and mimick another malware! Attackers and defenders are playing a continuous cat and mouse game to improve the evasion for the first and the detection for the second.
From an defender's perspective, it is critical to harden your sandbox. Basic tests are performed by pieces of malware like:
But they are also plenty (but very effective) things that can be tested/probed!
First of all, about the user's behavior:
Classic desktops look more like this and contain plenty of shortcuts:
If you need to deploy a sandbox, the best way is to base it on a real user workstation and update it with user behavior facts. If you're looking for a sandbox system, check if they can be customized! To conclude, here is an interesting Python tool which will test most of the points listed above: Sandbox_tester. Happy malware analysis!
Dec 16th 2015
3 years ago