Sandboxing to protect against malware & fake artefacts to stop threats

Sandboxing to protect against malware & fake artefacts to stop threats

I was researching for some new blogs to write, time is limited these days with some serious projects that take all my time, but one article from McAfee stood out. I’ve been focussing more on security lately as I think next to real monitoring security is another area that is dealt with wrongly or inadequately in current environments. Ransomware is a threat and is more advanced than previous threats and we need to find ways to stop the attack in an early phase. The McAfee article writes about an interesting way of preventing to get infected. I thought it might be interesting to write a bit about their idea. With this you got one more asset in your arsenal. Let’s dive in a bit deeper.

What is ransomware?

First a little backtrack, I did some blog about this before and before continuing I think perhaps it is good to give a little background on what we define as ransomware. The articles I wrote before are found right here

So let’s recap, I’m sure you are as busy as I am, so that you get a quick idea.

Ransomware is the next generation threat with a more destructive result. With viruses a destructive result was left behind, files corrupted, disks wiped and more mayhem but with the right backup not much harm was done. Of course some home computers got infected seriously but still a good backup and a Windows CD and you’re were good to go. Virus scanner and threat protection got more advanced, UEM solutions brought solutions protecting desktops and I think it is fair to say virus threats were contained. In virtual environments we work with stateless environments more and more, any infection that is intended to execute the next boot is killed cold turkey as the desktop is destroyed at logout. This is also a really good reason to make sure user do logout and not stay connected for weeks.

…but things got more serious and from viruses we grew into more malicious threats. Ransomware and other threats that we see these days are more advanced and do more damage. The problem you see with ransomware, and why it is so dangerous, is that it is not deleting files or wiping disk but it is hijacking your files. Viruses were less harmful as they intended to destroy something locally (yeah in the current light that is less harmful). Ransomware on the other hand is not out to do thing locally other than making sure you can’t access your data anymore. It is out to make you pay money to get your data access.

So it’s not that the ransomware is not a file and it is not executing on your computer. Anything that is causing issues right now, viruses or ransomware like threats are programs being executed. Of course they hit your disk at some time, no infection we know of right now is able to execute in memory and do any harm. A lot of infection these days are brought in via links that people click (as we are so curious to see what they send us) or via video streams where you watch that cool dude doing something awesome and in the back in memory the program is downloaded. The main difference between viruses and ransomware is that a lot of ransomware is designed to not execute instantly but wait until all your backups are infected, as soon as you are beyond the point of no return it hijacks.

The issue is that the mayhem they cause is so destructive that you don’t want to rely on “virus/malware” scanners, if they miss one threat every computer, file server connected can be infected. You need to make sure threats are stopped before. Again with a virus most of the time the local computer was struck with ransomware any connected device will be sought. I know of environments where they saw file servers one by one get infected before they could kill the connection and stop it. a very real threat that needs more attention.

The McAfee “solution”

So McAfee has been working on this of course, their customers are having issues with ransomware and viruses and look to them for solutions. They get a lot of data from there customers and from that they found something interesting, threats these days (I say these days) don’t seem to like virtual machines and change their behaviour if they notice a threat prevention is active.

Perhaps, I’m guessing here, threat creators know that hitting virtual machines is not that sensible as most VDI environments are stateless. Stateless devices will be deleted as soon as something is wrong with it or at least when the user logs off. Any infection will be lost at that moment if not executed already.

In their search they realized that some threats e.g. Locky would not execute if the language would be Russian or a local key with the same name of the ransomware is there. This offers possibilities as we could also add these registry keys there ourself.

what did McAfee engineers discover?

  • Threats change their behaviour when they detect a sandbox
  • Threats change their behaviour when they detect monitoring tools

This is interesting and like they mention in their article what if you would place those artefacts there already?

Below is the drawing of the test/solution they are writing about, the drawing is from their site (copyright added). So if we look at this drawing a bit closer, there are two environments a virtual one and a physical one. In both scenario’s if the artefacts are in place some of the threats change behaviour or won’t run at all. From what they discovered it seems that threats don’t like virtual environments and that several artefacts to keep them from executing are there by default. If these same artefacts are placed on a physical machine (fake artefacts) the threats are stopped from executing.


Copyright: McAfee

A different solution it seems was to change the language to Russian but I’m pretty sure our users would object there. Some of the artefacts they can detect are;

  • HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\“Identifier”;“VMWARE”
  • HKLM\SOFTWARE\VMware, Inc.\VMware Tools
  • HKLM\HARDWARE\Description\System\ “SystemBiosVersion”;”VMWARE”
  • HKLM\HARDWARE\Description\System\”SystemBiosVersion”;VBOX
  • HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions

Also fake files that hint towards a virtual machine seem to come in handy, the question right now for me is, is it important if the file size is exact the same size of the real ones or not? Something to find out later on.

  • C:\\WINDOWS\system32\drivers\VBoxMouse.sys
  • C:\\WINDOWS\system32\vboxhook.dll
  • C:\\WINDOWS\system32\vboxdisp.dll
  • C:\\Windows\system32\drivers\vmmouse.sys
  • C:\\system32\drivers\vmhgfs.sys

..and so it continues, fake mac addresses as virtual environments are created with the same MAC addresses (starting bytes are the same), VMware uses 00:0C:29, 00:1C:14, 00:50:56 or 00:05:69 by default. These are easily detected and if they are found it seems from tests that threats change behaviour. All these artefacts are interesting, some we can use some we can’t.

Solution or ….?

Threats are not stopped with one solution, a vendor claiming they can stop threats 100% is a dreamer. Threats are stopped by using multiple tools and techniques. This concept of McAfee is a very interesting concept, you can’t add all artefacts to your local machine as it would stop function at some point but a good set of them are useable. If this stops a percentage of the threats from executing it is worth looking into this. A few files and registry key’s don’t do damage to your environment and might save your day. Read the complete article and think about it, that’s what I’m gonna do…

Read the original article at the McAfee site, you can read more on their tests and how to create the artefacts. The link is right here – link .

1 Response

  1. January 24, 2017

    […] Read the entire article here, Sandboxing to protect against malware & fake artefacts to stop threats – […]

Leave a Reply