Using High-Resolution Dynamic Analysis for BHO Trigger Detection

Looking at how malware analysis engines evolved over the last decade, the trend is quite obvious: Dynamic analysis systems are replacing purely static ones or at least combine elements from both approaches. While the advantages of dynamic analysis are convincing – resilience against code obfuscation or encryption – attackers have various techniques at hand to complicate dynamic analysis and possibly evade these systems.

Lastline’s answer to these attacks is what we call High-Resolution Dynamic Analysis. In a series of upcoming blog posts, we want to look at how our high-resolution sandbox tackles evasive code present in most of today’s Advanced Persistent Threats (APTs). These attacks range from environment-fingerprinting, to sandbox evasion, to behavior triggers.

High Resolution Dynamic Analysis

Lastline Analyst – our analysis product allowing forensic and audit teams to analyze zero-day exploits, advanced persistent threats and malware as well as the analysis backend for Lastline Enterprise – has one key-discriminating feature that distinguishes it from traditional analysis sandboxes: The analysis engine is built on top of a CPU emulator, which allows the engine to see every instruction executed by a malware program under analysis.

Traditional dynamic analysis engines only monitor interactions between an analysis subject and the operating system (through native system- or API-function calls) or communication between processes running inside the analysis environment. This is a practical approach for monitoring the behavior of the analysis subject, but suffers from crucial blind spots that an attacker can use to either detect or even entirely evade an analysis system.

Lastline’s engine, available in both Lastline Analyst and Lastline Enterprise, closes this blind spot by combining traditional API call monitoring and CPU emulation to find malicious behavior that does not rely on explicit interactions with the operating system. In addition Lastline is able to deal with the sophisticated evasion attempts that are common in today’s APTs.

Analysis of Evasive Malware

Lastline contains a reporting feature that provides security analysts and network administrators with a fast overview of the analyzed malware’s behavior. This gives a summary of the analysis without having to read dozens of pages of analysis logs and having to understand the meaning of various OS internals such as the Microsoft Windows Registry or Android Service Intents.

In a follow-up blog post, we will show more details about the Activity Summary, for now just consider the following example:

Without having to dig deeply into the report details, the Activity Summary gives the user a fast classification into high-level classes, such as benign or malicious, as well as an overview of the behavior exhibited during the analysis. Additionally, it highlights the key points that experienced researchers should focus on, when drilling further into the detailed analysis results.

For the rest of this blog-post, and as an outlook into a series of follow-up posts, we want to focus on a subset of the events in the above summary concerning evasive malware:

These entries highlight a combination of two behaviors found in many of today’s advanced threats: Evasive behavior, i.e., revealing certain actions only in specific circumstances (e.g., the presence or absence of certain programs, such as analysis tools or AV products), as well as stealing a user’s confidential data (such as banking or gaming credentials).

Trigger-Based Dynamic Analysis

Combining environment checks with specific behavior is a major concern for traditional analysis sandboxes based on API-logging alone, as explained earlier. To make things more concrete, let us look at an example:

One common technique used by today’s malware to steal a user’s confidential data is to inject code into the user’s web-browser (such as Internet Explorer, Firefox, or Google’s Chrome Browser). This attack, usually called Man-In-The-Browser, allows the malware to get notifications about the user’s browsing activity without having to worry about secure connections through SSL or other security features (such as 2-factor authentication used by many web services). All the attacker has to do is manipulate the website’s Document Object Model (DOM) and register callbacks on interesting events, such as submissions of forms or loading of specific pages within a web service. By registering event listeners inside the DOM, the browser will notify the attacker’s code of data retrieved from or sent to specific URLs or web services.

An example for this kind of attack are Browser Helper Object (BHO) plugins that the popular botnet Alureon is injecting in Microsoft’s Internet Explorer: These BHOs monitor the URLs that a user browser visits and inject a number of JavaScript functions into the DOM as soon as an interesting URL is found. In the case of Alureon, interesting URLs are a set of (mostly Korean) banking and gaming websites, targeting individuals and companies alike.

Traditional sandboxes are mostly unable to detect this specific behavior, as their API monitoring techniques are unable to detect the URLs that trigger the injection events in the DOM. Lastline’s CPU emulation technique, on the other hand, can see how the malware’s browser plugin checks for URLs triggering certain behavior, and, as a consequence, can direct the browser to specific URLs for revealing additional behavior otherwise not extracted.

When analyzing a set of BHOs dropped by recent Alureon samples [1], the analysis engine is able to detect and extract the trigger component (checking for the URLs that trigger a certain behavior) as well as the stealing component that injects the event listener functions into the DOM. This happens fully automatically during analysis and is summarized in the analysis report overview and report details.

At the time of analysis, these URLs included online-banking and gaming sites alike, such as:

• bank.cu.co.kr

• banking.nonghyup.com

• banking.nonghyup.com/common/pbarpagecontroller.jsp?surl=/bank/ar/pbari0101.jsp

• epostbank.go.kr

• ibk.co.kr

• lcs.mezzo.hangame.com

• shinhan.com

• wooribank.com

• www.nexon.com/login/login.aspx

Additionally, the engine extracts the JavaScript code that is injected when these URLs are visited.

_{JavaScript event listeners injected into the DOM}

The listeners that Alureon registers hook DOM events to extract user data (such as usernames and passwords), temporarily storing them in a cookie named IEPROXY. Later, this data is extracted from the cookie and sent to the attacker. Additionally, the BHO hides specific DOM elements.

Clearly, without Lastline’s high-resolution analysis engine, a sandbox would neither detect the triggers (visiting a URL in this case) or be able to extract the JavaScript code, as it is only injected when one of the triggers hits.

I invite you to register for Lastline Analyst and gain the ability to analyze up to 25 files per day for free. There is no hardware installation needed to try it out.

You can can also request a 30-day evaluation for Lastline Enterprise and gain the ability to analyze files from your network.

[1] Links to VT concerning a few samples:

• MD5 17c04f953f25448055b4260262248a65
  SHA1 2037b14ee16c2d7d1e6ee3e1f471c98fc37f9967
  SHA256 73c6ef8a21c81d4496768723b6b045b4a8d16dd43cb3d415025268b65fb287ea
  https://www.virustotal.com/en/file/73c6ef8a21c81d4496768723b6b045b4a8d16dd43cb3d415025268b65fb287ea/analysis/

• MD5 bcfc7a9e963efabdf70a2b5911a4030e
  SHA1 b55f4cb53f21e394290a8332eb223c9d4038cd00
  SHA256 4da38ba0d708c6fbf0c9b473cfae52400bdc5f7c39a3105ae161a7c1859f731d
  https://www.virustotal.com/en/file/4da38ba0d708c6fbf0c9b473cfae52400bdc5f7c39a3105ae161a7c1859f731d/analysis/

• MD5 5ceb72b29e61cf26d2b3b4d97320dfb4
  SHA1 8c42657fee4e8244eb96f031164b15995f33a910
  SHA256 b6f9993e45978c958d0dfcda5e14ada347c800efb4fc337426c7c6505d5a270f
  https://www.virustotal.com/en/file/b6f9993e45978c958d0dfcda5e14ada347c800efb4fc337426c7c6505d5a270f/analysis/

• MD5 dcfba6aba9a557e84221e0d34ffb655c
  SHA1 9caef91aed1f207482aa4da9c3a59e998fdfcb17
  SHA256 b26d4ab40cbbb7c94521a672ec689a01662930f8422c032e374a09b7944f0ad5
  https://www.virustotal.com/en/file/b26d4ab40cbbb7c94521a672ec689a01662930f8422c032e374a09b7944f0ad5/analysis/

• About
• Latest Posts

Clemens Kolbitsch

Clemens is a Security Researcher and engine developer at Lastline. As a lead-developer of Anubis, he has gained profound expertise in analyzing current, malicious code found in the wild. He has observed various trends in the malware community and successfully published peer-reviewed research papers. In the past, he also investigated offensive technologies presenting results at conferences such as BlackHat.

Latest posts by Clemens Kolbitsch (see all)

• Ransomware: Too Overt to Hide [Part 2] - April 13, 2017
• Party like it’s 1999: Comeback of VBA Malware Downloaders [Part 3] - November 10, 2016
• Lifting the Seams of the Shifu “Patchwork” Malware - September 4, 2015