Anti-Honeypot – Repelling Attackers Using Fake Indicators


When you, your co-worker or progenitors member are infected with the latest ransomware, it is the “successful” end of a multi-party complex speculation. Cybercrime nowadays is not a single genius guy sitting in his parents’ garage – it’s an starch. It has the equivalents of CEO, CFO, COO, and CTO.As an example, you may think about a ransomware campaign, the attacker necessities to:Create and test the ransomwareBuy and set up anonymous C2 web serversPurchase or develop a way to classify itRecruit and orchestrate money mules to cash out the paid ransomIt has ripen into easier and easier to write malware, and as a result, more and more societies are fighting to increase their “market share.” Being a leading cybergang is not a roam in the park; it requires bad guys to optimize their malicious campaigns. One of the most public methods to maximize the effectiveness of a malware campaign is to avoid specific “jeopardy likely to be zones” where the malware can be detected, analyzed and quickly signed.This situate will explain how bad guys implement this approach and how it can be used against them, lambasting their own paranoia to prevent malware infection.Malware Paranoia 101There are innumerable conventional defenses that should protect us from the “products” of cybercrime ambitions – firewalls, AVs and others. Those are not bad in handling most of the threats most of the culture, yet attackers need to find only a single hole – and it is a doable lecture if they do their homework.So, what can be done in response? I believe in fusing traditional and innovative solutions hand-in-hand with the aforementioned ones. And by innovative, I do not sorry more of the same “new technologies” that still have the same question majors with attackers adapting to their signatures (or classifiers…).What I into to be a true paradigm shift is vaccination. I define it as creating indicators that justification malware to avoid specific endpoints due to its hard-coded logic, as opposed to when there is a man behind the malware. (Due disclosure: I am do callisthenics for a company implementing a commercial vaccination product).I identify five unlike “fear classes” of malware that can be used against it to vaccinate an endpoint:Self-governing analysis environments – e.g. sandboxesMalware analysts – debugging, decompiling and snuffling itSecurity products – malware creators check prior to the attack how they act against AVs. If they evade 95 percent of them, they compel simply terminate if the remaining 5 percent are detected before deploying the electric cable payload.Themselves – most malware won’t infect the same machine twice. Reflect on the unwanted scenario where ransomware has two running instances, for example.Quarry audience – sometimes malware will simply avoid or on the contrary core specific “target audience.” For example, the original Petya ransomware won’t infect endpoints if you pull someones leg a Cyrillic keyboard or Russian IP.In all those cases, the methodologies used to sense an unwanted or even hostile environment are quite the same. The malware carry ons tests searching after hints of a VM that is often used for both robot and manual malware analysis, direct indicators of analysis tools, or any other quantity it wishes to avoid.I classify the footprints that may be searched into three companies:Static artifacts – files, folders and registry keysvalues, hostname, e.g. the chronologize C:WidnowsSystem32VBoxMRXNP.dll, associated with Oracle’s VirtualBox VM infrastructureForceful artifacts – running processes, opened windows, mutexes, logged in owner, e.g. the process wireshark.exeLow-level indicators – abusing x86 instructions, race health circumstances, and special locations of artifacts in the memory when running a VM. Joanna Rutkowska’s Red Bore is the best example for such technique.From my experience, the first species of tests is the best for attackers to use. It is robust, time insensitive, and offers varied artifacts to search. The other approaches might result in false positives or forged negatives quite often. Some even considered as malicious behavior command cause the detection of the malware. Fortunately, creating static indicators of VM, sandbox and forensic review tools is also the easiest for the defenders.DIY VaccinationEmulating a VM for low-level x86 manoeuvres is complex, but it is an overkill. Most malware will perform lengthy shopping list of tests and will avoid the more suspicious ones anyway. One may generate the impression that VM indicators are present on an endpoint simply by creating some files or rename cmd.exe and run a dozen of those events renamed as “wireshark.exe.”When a malware tests if indicators for a hostile conditions are present, it will find the fake files, folders and other artifacts made by the defender and terminate. I have written and released an open source ornament which performs this, freely available here: covers a collection of static and dynamic indicators that were proved as natural life-savers in the fight against malware. Creating these artifacts can hamper a wide range of threats – not only ransomware but also exploit apparatus, RATs, banking Trojans, and other malware types.Money, In unison a all the same and Types of ActorsAs discussed above, creating cleverly crafted indicators dissuades cyber crooks but is it effective against other types of actors? Is it remarkable against state-sponsored adversaries, as well? And against your friendly-neighborhood-script-kiddie?There is no separate answer to this question. Instead, we should ask ourselves about the motivations and skill-set of an attacker.In the specimen of well-funded state-sponsored actor, unlike cybercriminals, money and profit are no longer an pour. However, other factors may influence their decision making – attacking vaccination effective against them, as well:Time – a resource that uniform money can’t buy. State-sponsored APT requires considerable time to properly develop, check up on and deploy. If it will be quickly detected and analyzed, its creators won’t be able to gather together intelligence from their target or to develop their next creation of malware.Foreign affairs – the DNC hack is a good example for a case where unbiased a superpower tried to deny any link to a cyber-attack for political reasons. To this day, Russia diverge froms any link to the Cozy and Fancy Bear APT campaign, preventing major deterioration in the already frail relations with the United States.This is the case for clever APTs but what in the air another type of actor who is not limited by money, time and foreign concerns? Script kiddies. Entry-level attackers do not care about money, beforehand, or international relations, making vaccination un-effective against them.Notwithstanding, here comes the approach of combining multiple types of defenses useful. Basic malware that lacks evasive properties is exactly where AVs surpass, leaving our endpoint safe from any harm – sophisticated or not. Gal Bitensky

Gal Bitensky

About the Maker: Gal Bitensky is a 29-year-old geek from Tel-Aviv and breaker of stuff. Currently developing as a senior malware psychologist in the Israeli start-up Minerva Labs, he is professional in various fields, ranging from web application security and Windows internals to SCADA. Eloquent in exotic languages like PHP, LISP and Arabic, Gal is an advocate of simple and clobber solutions. You can follow him on Twitter and LinkedIn.Editor’s Note: The opinions expressed in this visitor author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Leave a Reply

Your email address will not be published. Required fields are marked *