Skip to main content

PoW-How: An Enduring Timing Side-Channel to Evade Online Malware Sandboxes

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12972)

Abstract

Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information in the reports produced by these services have also helped attackers test the efficacy of numerous techniques to make malware hard to detect.

The most common technique used by malware for evading the analysis system is to monitor the execution environment, detect the presence of any debugging artifacts, and hide its malicious behavior if needed. This is usually achieved by looking for signals suggesting that the execution environment is not belong to a the native machine, such as specific memory patterns or behavioral traits of certain CPU instructions.

In this paper, we show how an attacker can evade detection on such online services by incorporating a Proof-of-Work (PoW) algorithm into a malware sample. Specifically, we leverage the asymptotic behavior of the computational cost of PoW algorithms when they run on some classes of hardware platforms to effectively detect a non bare-metal environment of the malware sandbox analyzer. To prove the validity of this intuition, we design and implement the PoW-How framework, a tool to automatically implement sandbox detection strategies and embed a test evasion program into an arbitrary malware sample. Our empirical evaluation shows that the proposed evasion technique is durable, hard to fingerprint, and reduces existing malware detection rate by a factor of 10. Moreover, we show how bare-metal environments cannot scale with actual malware submissions rates for consumer services.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88418-5_5
  • Chapter length: 24 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88418-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.

Notes

  1. 1.

    https://github.com/anonnymousubmission/Esorics2021_Paper159.

  2. 2.

    This cannot be applied to ForbiddenTear since it is written in .NET.

  3. 3.

    The malware detection report for this malware without our PoW-based evasive measure has been anonymized [1, 12].

  4. 4.

    This reference has been anonymized not to violate the terms of service of sandbox vendors [1].

  5. 5.

    The references have been anonymized not to violate the terms of service of sandbox vendors [1, 1, 1,2,3,4,5].

References

  1. Evasive malware analysis report (2020). anonymized

  2. Evasive malware analysis report - 1 (2020). anonymized

  3. Evasive malware analysis report - 2 (2020). anonymized

  4. Evasive malware analysis report - 3 (2020). anonymized

  5. Evasive malware analysis sandbox (2020). anonymized

  6. Adam Back: Hashcash: antin-spam tool (2020). http://www.hashcash.org/

  7. Alexander Peslyak, T.H.: yescrypt - scalable KDF and password hashing scheme (2015). www.openwall.com/yescrypt

  8. Alsmeyer, G.: Chebyshev’s inequality. In: Lovric, M. (eds.) International Encyclopedia of Statistical Science. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-04898-2_167

  9. anonymized: Sandbox 1 (2020). anonymized

  10. anonymized: Sandbox 2 (2020). http://www.anonymized

  11. anonymized: Sandbox 3 (2020). http://www.anonymized

  12. Nappa, A., et al.: PoC Behaviour (No Evasion) - anonymized (2020). http://www.anonymized

  13. Nappa, A., Papadopoulos, P., Varvello, M., Gomez, D.A., Tapiador, J., Lanzi, A.: Artifact repository. https://github.com/anonnymousubmission/Esorics2021_Paper159 (2021)

  14. Nappa, A., Papadopoulos, P., Varvello, M., Gomez, D.A., Tapiador, J., Lanzi, A.: Relec + PoW + static sanitization - anonymized (2021). http://www.anonymized

  15. Balzarotti, D., Cova, M., Karlberger, C., Vigna, G.: Efficient detection of split personalities in malware. In: Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS) (2010)

    Google Scholar 

  16. Bayer, U., Comparetti, P.M., Hlauschek, C., Krügel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS. The Internet Society (2009). http://dblp.uni-trier.de/db/conf/ndss/ndss2009.html#BayerCHKK09

  17. Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: new generation of memory-hard functions for password hashing and other applications. In: IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbrücken, Germany, 21–24 March 2016 (2016)

    Google Scholar 

  18. Biryukov, A., Dinu, D., Khovratovich, D., Josefsson, S.: Argon2 rfc (2019). www.tools.ietf.org/id/draft-irtf-cfrg-argon2-05.html

  19. Blackthorne, J., Bulazel, A., Fasano, A., Biernat, P., Yener, B.: AVLeak: fingerprinting antivirus emulators through black-box testing. In: 10th USENIX Workshop on Offensive Technologies (WOOT 16), Austin, TX. USENIX Association, August 2016. https://www.usenix.org/conference/woot16/workshop-program/presentation/blackthorne

  20. Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 207–227. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_11

    CrossRef  Google Scholar 

  21. Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: Proceedings of the 20th USENIX Security Symposium (2011)

    Google Scholar 

  22. Canali, D., Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: A quantitative study of accuracy in system call-based malware detection. In: Heimdahl, M.P.E., Su, Z. (eds.) International Symposium on Software Testing and Analysis, ISSTA 2012, Minneapolis, MN, USA, 15–20 July 2012, pp. 122–132. ACM (2012). https://doi.org/10.1145/2338965.2336768

  23. Chen, X., Andersen, J., Mao, Z.M., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: 2008 IEEE International Conference on Dependable Systems and Networks with FTCS and DCC (DSN), pp. 177–186. IEEE (2008)

    Google Scholar 

  24. Forler, C., Lucks, S., Wenzel, J.: The catena password-scrambling framework (2015). www.uni-weimar.de/fileadmin/user/fak/medien/professuren/Mediensicherheit/Research/Publications/catena-v3.1.pdf

  25. Chronicle Security: File statistics during last 7 days (2020). https://www.virustotal.com/en/statistics/

  26. Coker, J.: Evasive malware threats on the rise despite decline in overall attacks (2020). https://www.infosecurity-magazine.com/news/evasive-malware-rise-decline/

  27. Cybersecurity Ventures: Global cybercrime damages predicted to reach \$6 trillion annually by 2021 (2018). https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/

  28. Digiconomist: Yara Signature Detector (2007). https://digiconomist.net/bitcoin-energy-consumption

  29. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, New York, NY, USA, pp. 51–62. Association for Computing Machinery (2008). https://doi.org/10.1145/1455770.1455779

  30. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 51–62 (2008)

    Google Scholar 

  31. Dugan, J., Elliott, S., Mah, B.A., Poskanzer, J., Prabhu, K.: iPerf - the ultimate speed test tool for TCP, UDP and SCTP (2020). https://iperf.fr/

  32. Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_10

    CrossRef  Google Scholar 

  33. Feldman, R., Dagan, I.: Knowledge discovery in textual databases (KDT). In: Proceedings of the First International Conference on Knowledge Discovery and Data Mining, KDD 1995, pp. 112–117. AAAI Press (1995)

    Google Scholar 

  34. Franklin, J., Luk, M., McCune, J.M., Seshadri, A., Perrig, A., Van Doorn, L.: Remote detection of virtual machine monitors with fuzzy benchmarking. ACM SIGOPS Oper. Syst. Rev. 42(3), 83–92 (2008)

    CrossRef  Google Scholar 

  35. Graziano, M., Canali, D., Bilge, L., Lanzi, A., Balzarotti, D.: Needles in a haystack: mining information from public dynamic analysis sandboxes for malware intelligence. In: Proceedings of the 24rd USENIX Security Symposium (USENIX Security), August 2015

    Google Scholar 

  36. Gu, G., Yegneswaran, V., Porras, P., Stoll, J., Lee, W.: Active botnet probing to identify obscure command and control channels. In: Proceedings of 2009 Annual Computer Security Applications Conference (ACSAC 2009), December 2009

    Google Scholar 

  37. Guarnieri, C.: Cuckoo sandbox (2010). https://cuckoosandbox.org/

  38. Haq, I.U., Chica, S., Caballero, J., Jha, S.: Malware lineage in the wild. Comput. Secur. 78(C), 347–363, August 2018. https://doi.org/10.1016/j.cose.2018.07.012

  39. Infosecurity Magazine: Cybercrime costs global economy \$2.9m per minute (2019). https://www.infosecurity-magazine.com/news/cybercrime-costs-global-economy/

  40. Kirat, D., Vigna, G., Kruegel, C.: BareCloud: bare-metal analysis-based evasive malware detection. In: 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA, pp. 287–301. USENIX Association, August 2014. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kirat

  41. Kocher, P., et al.: Spectre attacks: exploiting speculative execution. In: 40th IEEE Symposium on Security and Privacy (S&P 2019) (2019)

    Google Scholar 

  42. Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9

    CrossRef  Google Scholar 

  43. Kolbitsch, C., Holz, T., Kruegel, C., Kirda, E.: Inspector gadget: automated extraction of proprietary gadgets from malware binaries. In: 31st IEEE Symposium on Security and Privacy, S&P 2010, Berleley/Oakland, California, USA, 16–19 May 2010, pp. 29–44. IEEE Computer Society (2010). https://doi.org/10.1109/SP.2010.10

  44. Kotzias, P., Bilge, L., Caballero, J.: Measuring PUP prevalence and pup distribution through pay-per-install services. In: Proceedings of the 25th USENIX Security Symposium (2016)

    Google Scholar 

  45. Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: AccessMiner: using system-centric models for malware protection. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, 4–8 October 2010, pp. 399–412. ACM (2010). https://doi.org/10.1145/1866307.1866353

  46. Larimer, D.: Momentum-a memory-hard proof-of-work via finding birthday collisions. Technical report (2014)

    Google Scholar 

  47. Lastline Inc.: Not so fast my friend - using inverted timing attacks to bypass dynamic analysis (2014). www.lastline.com/labsblog/not-so-fast-my-friend-using-inverted-timing-attacks-to-bypass-dynamic-analysis/

  48. Laurie, B., Clayton, R.: Proof-of-work proves not to work; version 0.2. In: Workshop on Economics and Information, Security (2004)

    Google Scholar 

  49. Li, L.W., Duc, G., Pacalet, R.: Hardware-assisted memory tracing on new SoCs embedding FPGA fabrics. In: Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, New York, NY, USA, pp. 461–470. Association for Computing Machinery (2015). https://doi.org/10.1145/2818000.2818030

  50. Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_18

    CrossRef  Google Scholar 

  51. Lipp, M., et al.: Meltdown: Reading kernel memory from user space. In: 27th USENIX Security Symposium (USENIX Security 18) (2018)

    Google Scholar 

  52. LLVM: Clang: a C language family frontend for LLVM (2020). https://clang.llvm.org/

  53. Martignoni, L., Christodorescu, M., Jha, S.: Omniunpack: Fast, generic, and safe unpacking of malware. In: ACSAC 2007 (2007)

    Google Scholar 

  54. Martignoni, L., Paleari, R., Fresi Roglia, G., Bruschi, D.: Testing CPU emulators. In: Proceedings of the 2009 International Conference on Software Testing and Analysis (ISSTA), Chicago, Illinois, USA, pp. 261–272. ACM (2009)

    Google Scholar 

  55. Martignoni, L., Paleari, R., Fresi Roglia, G., Bruschi, D.: Testing system virtual machines. In: Proceedings of the 2010 International Symposium on Testing and Analysis (ISSTA), Trento, Italy (2010)

    Google Scholar 

  56. Miramirkhani, N., Appini, M.P., Nikiforakis, N., Polychronakis, M.: Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 1009–1024, May 2017. https://doi.org/10.1109/SP.2017.42

  57. Moser, A., Krügel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: 2007 IEEE Symposium on Security and Privacy (S&P 2007), Oakland, California, USA, 20–23 May 2007, pp. 231–245. IEEE Computer Society (2007). https://doi.org/10.1109/SP.2007.17

  58. Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. http://bitcoin.org/bitcoin.pdf

  59. Nappa, A., Xu, Z., Rafique, M.Z., Caballero, J., Gu, G.: Cyberprobe: towards internet-scale active detection of malicious servers. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS 2014), February 2014

    Google Scholar 

  60. Oprişa, C., Ignat, N.: A measure of similarity for binary programs with a hierarchical structure. In: 2015 IEEE International Conference on Intelligent Computer Communication and Processing (ICCP), pp. 117–123 (2015). https://doi.org/10.1109/ICCP.2015.7312615

  61. Oreans: Advanced windows software protection system (2020). https://www.oreans.com/themida.php

  62. The Boost organization: Boost C++ libraries (2020). https://www.boost.org/

  63. Ozarslan, S.: Online malware sandboxes (2016). www.medium.com/@su13ym4n/15-online-sandboxes-for-malware-analysis-f8885ecb8a35

  64. Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A fistful of red-pills: How to automatically generate procedures to detect cpu emulators. In: Proceedings of the 3rd USENIX Conference on Offensive Technologies, WOOT 2009, USA, p. 2. USENIX Association (2009)

    Google Scholar 

  65. Protocol Labs: Filecoin: a decentralized storage network (2020). https://filecoin.io/

  66. Red Hat Inc.: Ansible it automation (2020). https://github.com/ansible

  67. Rutkowska, J.: Red pill ... or how to detect VMM using (almost) one CPU instruction (2004). https://securiteam.com/securityreviews/6z00h20bqs/

  68. Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: IEEE Symposium on Security and Privacy, vol. 0, pp. 94–109 (2009). http://doi.ieeecomputersociety.org/10.1109/SP.2009.27

  69. Tanabe, R., Ueno, W., Ishii, K., Yoshioka, K., Matsumoto, T., Kasama, T., Inoue, D., Rossow, C.: Evasive malware via identifier implanting. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 162–184. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93411-2_8

    CrossRef  Google Scholar 

  70. Tromp, J.: Cuckoo cycle: a memory bound graph-theoretic proof-of-work. In: Brenner, M., Christin, N., Johnson, B., Rohloff, K. (eds.) FC 2015. LNCS, vol. 8976, pp. 49–62. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48051-9_4

    CrossRef  Google Scholar 

  71. Tuwiner, J.: Bitmain antminer s9 review (2017). https://www.buybitcoinworldwide.com/mining/hardware/antminer-s9/

  72. Ugarte-Pedrero, X., Balzarotti, D., Santos, I., Bringas, P.G.: SoK: deep packer inspection: a longitudinal study of the complexity of run-time packers. In: 2015 IEEE Symposium on Security and Privacy, pp. 659–673, May 2015. https://doi.org/10.1109/SP.2015.46

  73. VirusShare: Virusshare.com - because sharing is caring (2020). https://virusshare.com/l

  74. Wang, T., Wei, T., Gu, G., Zou, W.: TaintScope: a checksum-aware directed fuzzing tool for automatic software vulnerability detection. In: Proceedings of the 31st IEEE Symposium on Security and Privacy (Oakland 2010), May 2010

    Google Scholar 

  75. Wikipedia: Wannacry ransomware hits prevalently windows (2017). https://en.wikipedia.org/wiki/WannaCry_ransomware_attack/

  76. Wong, D.: Np complexity (2013). https://www.cryptologie.net/article/43/np-complexity/

  77. Xu, Z., Nappa, A., Baykov, R., Yang, G., Caballero, J., Gu, G.: AutoProbe: towards automatic active malicious server probing using dynamic binary analysis. In: Proceedings of the 21st ACM Conference on Computer and Communication Security (2014)

    Google Scholar 

  78. Yokoyama, A., et al.: SandPrint: fingerprinting malware sandboxes to provide intelligence for sandbox evasion. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 165–187. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_8

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Panagiotis Papadopoulos .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Nappa, A., Papadopoulos, P., Varvello, M., Gomez, D.A., Tapiador, J., Lanzi, A. (2021). PoW-How: An Enduring Timing Side-Channel to Evade Online Malware Sandboxes. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88418-5_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88417-8

  • Online ISBN: 978-3-030-88418-5

  • eBook Packages: Computer ScienceComputer Science (R0)