Curious Fish is Curious

Curious Fish is Curious

Testing virtualized malware sandboxes with Paranoid Fish wasn’t enough, there might be other things that could be improved to avoid malware detection. Enter Curious Fish, a tool to help fingerprinting sandboxes.

 See Emotional Fishes are Emotional for an update on Cufish source code repository and project.

These types of environments need to be stealth, being able to avoid detection by malware is a must because it will spare the researcher or incident responder precious time in the analysis of the incident. Marking a fingerprinting behaviour as malicious is useful, but prone to some false positives and in the end, when you have hundreds (to thousands) of incidents to deal with, you’ll want a system that is able to run the samples to the full of their functionality so that you don’t have to. Curious Fish (Cufish) aims to help with that, providing information about the execution environment that could be used to pre-emptively improve the sandbox and avoid detection by malware. Cufish leverage Windows Management Instrumentation (WMI) to obtain information about:

  • Operating System
  • Processor
  • BIOS
  • Hardware devices
  • Partitions
  • Environment variables
  • Network connections and interfaces
  • Peripherals
  • Software

There were two challenges, the first, was that MinGW doesn’t play well with OLE and C++, after various attempts, the solution was to drop C++ and develop the WMI client code in pure C. The second challenge was related with how the information generated by Cufish would be exposed to the user as all the tested sandbox products (commercial or free) don’t allow for files created by the sample to be downloaded.

The solution was to open a UDP socket (doesn't require a server listening on the other end), pointing to a local network IP address that is (most likely) different from any IP address that the sandboxes use (forcing the traffic to exit the virtual machine). This will suffice, because many of the sandboxes allow for packet dumps to be downloaded. In the ones that don't, the only option is to check the output of the dependency walker.

Curious Fish packet capture
Curious Fish network packet capture in Wireshark.

After executing Cufish in various systems, follows a summary of some common tell-tale signs (compared against a physical machine to avoid false positives).

Sign Sandbox Based on
Virtual Machine Bus Driver No No Yes
CPU/Chipsets miss match No No Yes
References to Virtualization Model Yes Yes No
OEM Yes Yes No
BIOS Yes Yes No
Hardware Yes Yes No

 The row "references to virtualization" means that in that specific entity, at least one field describing it contains a reference to the word "virtual" or the name of the virtualization technology itself.
 Checking the running services is necessary to ensure that a specific driver is in use.
 CPU/Chipset miss match don't always occur, it will depend on the hardware selected for the virtual machine.
 The physical host and all machines are running Windows 7 SP1 (32 and 64 bits).

There is still a lot of information (specially on the hardware/drivers side like device identifiers and such) that needs to be spoofed/hidden in order to improve stealthiness. All of them are easy to do so, since they will be accessed using the Windows registry or by calling API’s.

The code can be found in this pull request or in this branch.

 FireEye does a very good job at randomizing an awful amount of information (dates, serial numbers, organization, etc.) but it doesn't randomize the system host name and the first three octets of the MAC address. It's better to randomize those before the "bad guys" figure what values they should look for :D
 Hyper-V was also tested but wasn't included in the conclusions since there are too many signs that a sample can look for and it isn't used that much for malware analysis.