Evasions: Network
Contents
Network detection methods used
1. Specific network properties
1.1. Check if MAC address is specific
1.2. Check if adapter name is specific
1.3. Check if provider’s name for network shares is specific
2. Check if network belongs to security perimeter
3. NetValidateName result based anti-emulation technique
4. Cuckoo ResultServer connection based anti-emulation technique
Signature recommendations
Countermeasures
Credits
Network detection methods
Evasion techniques in this group are related to network in this or that sense. Either network-related functions are used or network parameters are checked — if they are different from that of usual host OS then virtual environment is likely detected.
1. Specific network properties
Vendors of different virtual environments hard-code some values (MAC address) and names (network adapter) for their products — due to this fact such environments may be detected via checking properties of appropriate objects.
1.1. Check if MAC address is specific
Functions used:
- GetAdaptersAddresses(AF_UNSPEC, ...)
- GetAdaptersInfo
Code sample (function GetAdaptersAddresses)
Credits for this code sample: pafish project
Code sample (function GetAdaptersInfo)
Credits for this code sample: al-khaser project
Detections table
Check if MAC address starts from one of the following values: | ||
Detect | MAC address starts with | Bytes |
---|---|---|
Parallels | 00:1C:42 | \x00\x1C\x42 |
VirtualBox | 08:00:27 | \x08\x00\x27 |
VMware | 00:05:69 | \x00\x05\x69 |
00:0C:29 | \x00\x0C\x29 | |
00:1C:14 | \x00\x1C\x14 | |
00:50:56 | \x00\x50\x56 | |
Xen | 00:16:E3 | \x00\x16\xE3 |
1.2. Check if adapter name is specific
Functions used:
- GetAdaptersAddresses(AF_UNSPEC, ...)
- GetAdaptersInfo
Code sample (function GetAdaptersAddresses)
Credits for this code sample: pafish project
Code sample (function GetAdaptersInfo)
Credits for this code sample: al-khaser project
Detections table
Check adapter name to be the following: | |
Detect | Name |
---|---|
VMware | Vmware |
1.3. Check if provider's name for network shares is specific
Functions used (see note about native functions):
- WNetGetProviderName(WNNC_NET_RDR2SAMPLE, ...)
Code sample
Credits for this code sample: pafish project
Detections table
Check provider's name for network shares to be the following: | |
Detect | Name |
---|---|
VirtualBox | VirtualBox Shared Folders |
2. Check if network belongs to security perimeter
Malware makes a request to https[:]//www.maxmind.com/geoip/v2.1/city/me which normally requires some kind of authentication or API key. To get around this requirement, the malware makes the request look as if it’s coming from the site itself by setting the HTTP Referrer to https[:]//www.maxmind.com/en/locate-my-ip-address and User-Agent to Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0). This trick allows the sample to retrieve the information about IP address of the machine it’s running on.
The response is returned in JSON format and contains information about the country, city, and, most importantly, the organization associated with the IP address. If some “bad” strings are found in the response, malware knows that it’s launched inside some kind of a security perimeter/organization.
Examples
- anti VM tricks
- malicious macros add sandbox evasion techniques to distribute new Dridex
- malicious documents with macros evading automated analysis systems
“Bad strings” from malware sample (fixed capitalization):
3. NetValidateName result based anti-emulation technique
Initially this technique was designed for bypassing AV detection. It’s not an evasion technique itself — instead it abuses interesting side-effects after the function is called.
The main idea is to use the determined result of NetValidateName API function call with invalid argument as Server name (for example “123”) for calculating jump address dynamically. This jump usually points into the middle of some instruction to bypass heuristic analysis of AV software. But this technique also has (at least) one side-effect.
If default NetBIOS settings are set in the operating system (NetBIOS over TCP/IP is enabled) the return code is always equal to ERROR_BAD_NETPATH (0x35).
If NetBIOS over TCP/IP is switched off then return code is ERROR_NETWORK_UNREACHABLE (0x4CF).
Thus jump address will be calculated incorrectly and it will lead the sample to crash. Therefore, this technique can be used to break emulation in sandboxes where NetBIOS over TCP/IP is switched off for preventing junk traffic generation by the OS.
Note: NetBIOS over TCP/IP is switched off not to generate additional network requests when resolving server IP via DNS. Switching this option off cancels
lookup requests in local network.
Code sample (function GetAdaptersAddresses)
4. Cuckoo ResultServer connection based anti-emulation technique
This technique can be used for detecting Cuckoo Sandbox virtual environment. Malware enumerates all established outgoing TCP connections and checks if there is a connection to a specific TCP port (2042) that is used by the Cuckoo ResultServer.
Signature recommendations
Signature recommendations are general for each technique: hook the function used and track if it is called. It’s pretty hard to tell why application wants to get adapter name, for example. It doesn’t necessarily mean applying evasion technique. So the best what can be done in this situation is intercepting target functions and tracking their calls.
Countermeasures
- versus checking network parameters: change them for virtual environment;
- versus checking security perimeter: emulate network responses in an appropriate manner;
- versus NetValidateName result based technique: turn on NetBIOS over TCP/IP;
- versus Cuckoo ResultServer connection based technique: change ResultServer port in the Cuckoo configuration.
Credits
Credits go to open-source project from where code samples were taken:
Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.