Wednesday, May 11, 2016

A Glance at Cylance

Note:
- Personal thoughts here, employer not represented.
- I don't like AVs. The risk to performance and security doesn't make sense to me.

I've worked at places where AV was required and the security team was tasked to help SysAdmins tune (troubleshoot) AV so that the zip file created and transferred from employee to another employee did not cause an absolute system DoS (looks over at McAfee). And as most pentesters, I've been bypassing AVs for years.

I've heard a lot of hype around Cylance and it's AI algorithm and machine learning. And I've been wanting to test it out from an AppSec POV and if I could bypass it using my open source tools. One cannot simply download a demo of Cylance and do testing as a household consumer.  It is available only to enterprises and I believe Bluecoat has adopted it as a inline scanner.

The hype follows me on vacation
Via IRC, in #BDFactory on freenode, Sizzop mentioned that Cylance was doing a tour where you could bring in your own malware for testing.  I thought why not. It was (still going as of posting) called their Unbelievable Tour and they had one close to me in DC.  So I signed up.

The night before I set up a blind test using binaries from live.sysinternals.com and a command and control server on the public internet to catch call backs.

I downloaded the first level of tools in the directory and set up four folders on a USB drive:
  • Set 1: Just Sysinternals Tools with no modifications - approximately 100 binaries.
  • Set 2: Sysinternals again, though four were patched via BDF, added an Ebowla golang compiled binary with Pupy as payload set to work in May 2016 (it was still April 2016), a Veil python compiled binary, a sandbox finger-printer (python pyinstaller compiled binary), a backdoored macho binary, nothing modified or custom was signed.
  • Set 3: Sysinternals with four BDF patched binaries (signed with an expired cert), an Ebowla golang compiled binary with Pupy as a payload set to execute in April 2016 only (it was April 28th).
  • Set 4: Various malformed PE file formats known (to me) to cause issues in PE file parsers.
With my USB drive burning a hole in my pocket, I arrived at the demo location - Morton's in DC (swanky).  Everyone from Cylance was friendly. The demo was presented with lunch.

Cylance sales engineers talked about how they use AI to determine what is bad and that they have done away with dat files. The agent and all supporting files were a total of ~60 MB.  Then, Cylance pitted itself against Symantec in a demo; they took about 100 known malicious samples, ran them through VMprotect and dropped all the pre and post VMprotect samples on two Windows 7 virtual machines (VMs) - one with Cylance and one with Symantec.

Cylance detected everything. I expected as much as they are running the demo. Symantec detected nothing (at all) and the VM became non-functional. 

My initial impressions:
  • The Cylance agent was really fast.
  • There seemed no impact on performance of the Cylance VM.
  • I was impressed and worried about my tests. After all BDF has been open source for three years.
After the sales presentation and demo, they offered to run malware from the audience. There were two of us that had samples for testing.

I went first and the results were as follows:
  • Set 1: Some of the Sysinternals tools were flagged. Psexec for example and I think a couple more.  I did not have control of the computer to determine which exactly. One thing when deploying an AV is a false positive rate.  Cylance is not immune to this.
  • Set 2: The Veil payload was caught and quarantined prior to execution. One BDF payload was caught and quarantined prior to execution - it used a payload straight from metasploit. Nothing else was flagged.  On physical execution, the remaining binaries connected to my command and control server.
  • Set 3: One BDF sample was flagged and quarantined.  Interestingly it was a sample that I did not want caught, however, I picked the patching method myself - the code cave selection. All the BDF auto generated samples with my IAT based payloads were not flagged. Remember these samples had bad certificates. Nothing else was flagged. On physical execution, the remaining binaries connected to my command and control server.  Cylance does not scan cross platform executables so my macho (OS X) backdoored binary was not scanned.
  • The sales engineer fired up a GUI control panel to scan the malformed exes.  Not all of them were recognized as valid PE files (expected) and I did not see any crashes. Though the sample size was small < 20 items.

Summary:
  • Veil 1/1 detected
  • BDF binaries that should have been detected (metasploit shellcode): 1/1
  • BDF binaries I did not want detected: 1/7
  • Ebowla: 0/2 detected
  • Pyinstaller sandbox enumerator: 0/1 detected (does nothing bad really)

The other group had a javascript encoded (.jse) file. Cylance has a script blocker of sorts that stopped execution of the file.  I believe this works against powershell scripts also, but I was not prepared to test it.

My thoughts after testing:
  • It was really fast. I can't say this enough.
  • With all the AI processing on the backend to make the rules for the deployed agent, the Cylance agent still has to make a determination on what is good/bad.  Everything still comes down to a single if statement - let this run or don't.
  • It's still an AV. It has a kernel driver to hook binary execution. This adds an attack footprint just like any other AV. However, because it doesn't work with dat files, I think that the attack footprint is potentially smaller than other AVs.  The agent still has to worry about file format parsing.  I would like to do an appsec style analysis of the entire deployed platform.
  • Updates.  They were stating that Cylance only updates once or twice a year as a positive. I'd imagine that they will flag BDF output in the next update. However, if there is a major outbreak of a specific type of infection that the agent does not believe is bad now, how will the agent determine if it is bad in the future? If updating the agent entirely is the only way to add new detection algorithms, then I see more frequent updates and perhaps agent bloat. 
  • No comparisons against F-Secure or Kaspersky?  I think Cylance's main target for competition is the US market - where McAfee and Symantec have dominance.
If your organization is in an industry where AV is required for compliance reasons AND it has to be from the US (you are stuck with McAfee or Symantec), I would give Cylance a demo and compare it to what you have now.

Update:
FULL DISCLOSURE: I won a gift card for bypassing cylance.








10 comments:

  1. Hi there. Would you mind posting your samples? I want to run them against our AV and see how we fare :-/

    ReplyDelete
    Replies
    1. I can provide them offline. I just need to know who I am talking too and what the results are. :)

      Delete
    2. I'd be happy to share the results. What's the best way to connect? Email, skype, other?

      Delete
    3. Email is on my github profile page here: https://github.com/secretsquirrel

      Delete
    4. Hi _runr! Would you mind sharing your sample with me as well? I am currently demo'ing the product as well. I am a recent college grad looking heavily into AV/IDS/IPS bypass and I am luckily enough to have access to a demo.
      I was trying to do it on my own but the private keys you use here (https://secureallthethings.blogspot.com/2015/12/add-pe-code-signing-to-backdoor-factory.html) are 404d.
      I would love to share findings and anything else you'd like.

      You can reach me at fairna@mail.uc.edu.

      Thanks much,

      93OX

      Delete
  2. When you say cross platform executable, do you mean that Cylance will not scan executables on one platform that run on another, or they will not scan executables that run on multiple platforms?

    ReplyDelete
    Replies
    1. From my understanding, they will only scan executables for the platform that their agent is on.

      It makes sense to me, because you don't have a parser for all the known executable formats on one agent, which limits your attack footprint and makes multi-platform bugs harder to come by.

      Delete
    2. So, the windows agent only concerns itself with windows executables, OS X with OSX.

      Delete
    3. Doesn't work so well when you consider WSL :)

      Delete