PIN API provided by Pin tool

PIN API provided by Pin tool . . . . . . . . . . . . . . . . . . . . 5 5 VME detection techniques Tools 7 5.1 Pafish Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 5.2 VmDetect Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 6 Hiding Virtual Environment Presence from malware 10 6.1 Considering different hypervisors . . . . . . . . . . . . . . . . . . 10 6.2 Anti-Virtual Machine Techniques and countering these techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7 Summary 16 LIST OF TABLES 6.1 VirtualBox detection techniques . . . . . . . . . . . . . . . . . . 11 6.2 Memory Check . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6.3 Anti-Virtual Machine Techniques and countering these techniques 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 vi LIST OF FIGURES 4.1 Masking Detection of VM 11 . . . . . . . . . . . . . . . . . . . 6 5.1 Algorithm used by VmDetect . . . . . . . . . . . . . . . . . . . 8 5.2 Pafish tool demo . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5.3 VmDetect tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 vii ABBREVIATIONS VBOX Virtual Box OS Operating System SIDT store interrupt descriptor table viii CHAPTER 1 INTRODUCTION Malware is a malicious software which has intention to harm system’s data and devices. Malware can enter into system from different sources. It enters in the user’s system without user authorization. Malware can be computer viruses, Trojan horses, worms, ransomware, spyware. These programs have harmful intentions such as encrypting sensitive data, monitoring activities of user, taking control of system. Malware writers realized that virtualization or emulation is used to examine malwares, hence they started to obfuscate executable with anti-VM techniques. Obfuscation is the process of hardening the code. Nowadays, malware authors send programs to target machines .These malwares are checked in an analysis environment. The malware authors therefore write the malware in such a way that the malware code detects the analysis environment. If the malware finds that it is running in analysis environment, then it does not execute its behaviour which is malicious or benign. There are different detection methods of virtual machine. Anti-VM techniques mostly target on common Virtual Machines such as VMware, VirtualBox, VirtualPC. Malware can also be detected in emulators which is a simulated environment. Detection of emulators by malware is difficult. Virtual Machines are easier to detect by malware, so we are providing a environment which allows malware to execute its behaviour on VM. CHAPTER 2 MALWARE ANALYSIS 2.1 Static Analysis In Static analysis, the binary file is examined without its execution. This analysis starts with identifying malware similar as Anti-Virus techniques i.e. finding match with already known malware. The next step is file analysis that includes investigation of file format and contents 1. This method uses following checks: 1) Unpacking the file : Packing methods are used to obfuscate a malware. Packed file need to be unpacked and obtaining pure executable code is difficult. 2) Disassembly: It is used to investigate machine code of executable file but it may not reveal all malicious behaviour of malware. Static Analysis method is not effective for complex malwares and may not identify all malicious behaviour. 2.2 Dynamic Analysis Dynamic Analysis involves malware execution to examine its behaviour. It monitors following behaviours 1: 1) Memory: Malware can gain access to any location, it can overflow buffers. To determine whether malware is using memory or not, device memory need to be fetched. 2) Registry/configuration changes: Malwares can change registry values to gain long access to system. 3) File activities: Malware can modify, add, and delete files. So there is need to monitor file activities to reveal malware behaviour. 4) Services/Processes: To gain persistent access to system, malware can disable antivirus running on system. So that it can fulfil its harmful intentions, illegally install services, switch to other processes to prevent its analysis. 5) Connection of Network : To detect the malware’s existence, it is necessary to monitor network connections. Receivers IP addresses, port number, and protocols are needed to detect malware’s interaction with the command-and-control server. 3 CHAPTER 3 SECURITY THREATS TO VIRTUAL SYSTEMS : EVADING ANALYSIS There are many codes are available on internet that help malware to detect most common virtual machines. If Virtual environment is detected, malware can take actions accordingly i.e. it can stop its execution or exit from system. It will give false believe to malware analyst by hiding its behaviour. Hence malware analyst will classify it as benign application which is false in real. 2 Since 2012, Symantec data security centre 2 randomly selected 200,000 customer submissions and executed on both Virtual and host machines. Oncomparing results, some samples had to be traced out due to unrelevant crashes. The result of previous two years, the malware percentage that detects VMware 18 percent, with a increase at the start of 2014 where it reached 28 percent. On average, one out of five malware samples detect virtual machines and stop their execution. Techniques for checking the presence of a virtual environment 2: 1. Hardware fingerprinting 2. Checking Registry 3. Checking Process and file 4. Checking Memory 5. Analyse Timings 6. Checking Communication channel 7. Invalid instruction check Among these detection techniques,except invalid Instruction check is specific to VirtualPC by Microsoft. CHAPTER 4 LITERATURE SURVEY 4.1 The work by Carpenter Carpenter (Carpenter, 2007)9 stated two mitigation techniques. They tricked the malware using following methods: 1. To change .vmx files present on host machine 2. Breaking guest-host communication by altering magic values. Drawbacks: Just for avoiding VM presence, configuration options are changed that will not only break guest-host communication but will also affect other programs. Authors claim that these are undocumented features and that they are not aware of any side effects. 4.2 The work by Guizani The work by Guizani (Guizani, 2009)10 provides an solution for Server-Side Dynamic Code Analysis. They aim to trick evasive malware that work for Memory Detection VM Communication Channel Detection techniques. 4.3 PIN API provided by Pin tool Using PIN API provided by Pin tool511 can get all the the arguments,instructions and return value. Steps followed for masking : 1. Get binary calls. 2. Check if matche found from a existing list of calls. E.g. RegEnumValueA Str LoadLibraryA emit 3. Provide false values if VM specific values are read (matched from known list) E.g. Pin Tool gets the return value Virtual Box (VBOX) read by Registry and modifies it in runtime. Modified value returned by Registry read function Binary does not match manipulated value received. This supports 32 and 64 bit OS 32 and 64 bit applications Figure 4.1: Masking Detection of VM 11 6 CHAPTER 5 VME DETECTION TECHNIQUES TOOLS 5.1 Pafish Tool Pafish is a demo tool that implemented several techniques to detect sandboxes and environments for analysis in the same as malware families uses. 3 Detecting VMWare using Pafish tool3 : 1) vmware reg key2: This function is same as to detect VirtualBox. It compares SCSI hard drive identifier with string “VMWARE”, if this string found inside identifier, it will detect presence of virtual machine. This function also checks for “VMWare registry tools” existence. 2) vmware sysfile1: This function checks location of mouse driver vmmouse.sys exists in the drivers directory, where operating system is running under VMWare. 3) Vmware sysfile2: This folder checks existence of shared folders in the drivers directory, where running inside VMWare. 5.2 VmDetect Tool This tool detects two well known machine virtualization software: 1) Microsoft’s Virtual PC (formally from Connectix). 2) VMWare from VMWare.com Algorithm 4 : Figure 5.1: Algorithm used by VmDetect 8 Figure 5.2: Pafish tool demo Figure 5.3: VmDetect tool 9 CHAPTER 6 HIDING VIRTUAL ENVIRONMENT PRESENCE FROM MALWARE 6.1 Considering different hypervisors A hypervisor is software allows creating virtual machine. These are most common hypervisors; each has different setup and architecture differences8: 1) VMware Workstation Pro : Hypervisor to run on a Windows operating system. 2) VMware Workstation Player : Lightweight version of Pro.It does not support snapshots which is drawback for malware analysis. 3) KVM : Runs on Linux.It has plugin that allows run more VMs that uses memory de-duplication. Most malware relies on the presence of VirtualBox or VMWare specific artefacts and does not care much for detecting other hypervisors. 4) ESXi : It is not a hypervisor that you install on your operating system, the hypervisor is the operating system. Operating system built around the hypervisor, overhead is reduced as there is no need for other code other than that required to run the hypervisor. 5) VirtualPC : Connectix created Virtual PC for use with the Windows Operating system. 6) VirtualBox : Allows you to spoof the hardware your VM runs on, avoiding malware catching that it’s in a VM by probing virtual/physical hardware or firmware version; it is free, easy to setting up.It has most of the features as paid hypervisors. Table 6.1: VirtualBox detection techniques 11 6.2 Anti-Virtual Machine Techniques and countering these techniques The techniques are16: Hardware fingerprinting It looks for for special virtualized hardware patterns unique to VMs. For example, the MAC address of the network interface card, BIOS, specific hardware controllers, and graphic card. To determine whether a particular Windows operating system is installed on a physical machine or a virtual machine, the Windows Management Instrumentation Command-line (WMIC) used to deal with Windows version that supports PowerShell. It can find whether Windows is installed in a virtual machine either Hyper-V, VMware or Xen: For VM running on Hyper-V, string VERSION included as version parameter. For VM running on VMware, string VMware included as the serialnumber parameter. For VM running on Xen, string Xen included as the version parameter . Countering Hardware Fingerprinting: Provide false information to sample/application trying to get this information. Whenever any system call matches with the monitored and predefined list of API calls, provide dummy values. Registry check Registry hierarchical database for application that stores system configuration information in the Operating System (OS).It is Centralized and used for access of this database. Using registry editor administrator can edit registries. Example: VMware, VMware Virtual S1.0 VMware, Inc. 12 VMware SCSI Controller Countering Registry check : Replace the string with a value that would have been returned on a non-virtual system running the same OS. Memory check This technique involves looking at the values of specific memory locations after the execution of instructions such as store interrupt descriptor table (SIDT), store local descriptor table, store global descriptor table, or store task register. Systems such as VMware create specific registers for each VM. These registers have different address than one used by the host system, and by checking the value of this address, the virtual existence of systems can be detected. Table 6.2: Memory Check Countering Memory check: Whenever malware sample try to request any of above registers log the activity and provide false information. VMware communication channel check Ken Kato found that the presence of a host-guest communication channel in VMware called backdoor Input/output port. I/O port 0x5658 (VX in ASCII) used by VMware to communicate with the host machine. The Intel x86 provides two instructions( “IN” and “OUT” ) that allows carrying I/O operations. These instructions are privileged instructions and cannot be used in 13 a user-mode unless necessary privileges are enabled, it will cause an exception of the type: “EXCEPTION PRIV INSTRUCTION”. When VMWare is not present, an exception will occur and we discard VMware’s presence. Countering VMware communication channel check: As IN instruction is monitored at this state, need to change the magic number value “VMXh” to other value. Whenever malware sample will try querying IN instruction, “EXCEPTION PRIV INSTRUCTION” exception will thrown that usually generated on real machine. File and process check Many VMware-specific processes continuously run on the background. There also exist some VMware specific files and folders checks file system and process list, to detect VMware. For example, when VMware tools are installed, three VMware processes (e.g., VMwareService.exe, VMwareTray.exe, and VMwareUser.exe) are running on the background by default. Malware can detect these processes while searching the process list for the VMware string. Countering File and process check: If the sample under test makes the request for VMware specific files or processes, the tool sends the “File/Process not found” error. Timing Analysis Occurrences of this attack are very less comparing to other checks. It considers Time Stamp Counter value.VM can be detected using Time difference. VM detection through timing analysis makes a single or couple of instructions to execute large number of times since certain instructions when run a large number of times takes considerably much more time on VM than on host machine. 14 Table 6.3: Anti-Virtual Machine Techniques and countering these techniques 5 15 CHAPTER 7 SUMMARY Evasive malware attacks are on a gradual rise. There is a lack of academic research in this field. There is no existence of any full-fledged tool to counter Evasive Malware attacks .Hence there is a need to defeat these attacks with proper measures. We are designing a Virtual Runtime Environment that will hide presence of virtual machine from malware. Our focus is to incorporate all possible measures to hide virtual machine environment presence from malware. This will include ability to work for all possible virtual machines and operating systems considering its machine architecture