Mister Charles: Using Malware Authors' Paranoia Against Them
In Christopher Nolan’s 2010 masterpiece movie Inception, the main characters are attempting to implant an idea in their target by entering his subconscious while he’s dreaming. Little do they know that his subconscious has been trained to resist people entering his subconscious and the main characters’ master plan is ruined. Not to be easily dissuaded, they need to adapt to the target’s subconscious defenses, which are manifested in the form of armed bodyguards. The crew uses a risky gambit dubbed the “Mister Charles” which involves telling the target that he is dreaming and that his armed bodyguards are actually the enemy. That way the crew uses the target’s paranoia to actively help the crew in destroying the subconscious defenses. [Spoiler alert] The plan ultimately works and the crew is successful in turning the target’s subconscious against its own defenses.
This story arc will make a lot more sense if you have seen the movie Inception, but my hope is to illustrate the connection to malware authors and how to protect users and systems from them by exploiting their paranoia.
The arms race between malware authors and security researchers and vendors has been going on as long as there have been malware authors and security researchers. When Sandboxing technology first became available, it was heralded as a key turning point (or escalation) in the arms race. A sandbox was a safe computing environment to run an unknown file and observe if that file would make benign or malicious changes to the system to determine if the file was benign or malicious. Instead of just doing static analysis and reverse engineering, it was not possible to perform dynamic analysis with real world operating systems and applications.
Malware authors responded in kind and modified their delivery mechanisms to determine if they are being analyzed in a sandbox and to not execute their malicious payload if a sandbox environment is detected.
Some popular sandbox evasion techniques include:
- Checking for the presence of analysis tools
- Checking for the presence of virtual machine artifacts (VMware tools, XenTools, etc.)
- Checking for the presence of USB 3.0 drivers
- Checking for the presence of 3D hardware acceleration video drivers
- Checking for the presence of at least 10 recently opened Microsoft Office documents
- Waiting for X number of reboots before executing
- Monitoring end-user behavior and waiting for an even like clicking into empty white space in a document
Sandbox vendors responded by designing countermeasures to the malware sandbox evasion techniques such as hiding or removing analysis tools, replicating end-user behavior, and building virtual machine images with recently accessed Microsoft Office Documents.
A clever way of exploiting malware authors’ paranoia is by creating a "Sheep in Wolf’s clothing.” This technique exploits some of the sandbox detection mechanisms in advanced malware by installing analysis tools or virtual machine artifacts onto standard users’ machines. For example, the analysis tool "Sandboxie" installs a file called “SbieDll.dll” and advanced malware is trained to search for the presence of this file. Making the malware believe that it is in a sandbox will cause the malicious payload to not run for fear of being in a sandbox and being detected/analyzed. Installing a file called “SbieDll.dll” in the appropriate location effectively inoculates any system from being infected with malware that checks for the presence of this file.
This clever technique will have a limited shelf life, as malware authors develop new and innovative attack methods, but for now provides an additional line of defense for systems not already protected by a sandbox. When selecting a sandbox vendor, it is important to ensure it is up to date on the latest evasion techniques and employed countermeasures to catch the sneakiest new threats.