Testing WildFire

cancel
Showing results for 
Search instead for 
Did you mean: 

Testing WildFire

L1 Bithead

I did some test on WildFire. I've created backdoors, link backdoor with a legitimate file, and playing around with malware, and obscure malware with the goal to bypass.

The result and scenarios can be found on my website.

Any comments or remarks are welcome

10 REPLIES 10

Not applicable

You mean this website? http://www.accessdenied.be

yes, on my site I store all the documents I've tested using my box

I guess you agree with me that Wildfire conclusion of what is benign and what is malware is a bit off?

Could perhaps someone from PaloAlto put some light on this matter?

L3 Networker

Nice work man. Busy reading. Saw something in your file blocking profile that can be configured differently to ensure that only the correct file types are forwarded to Wildfire - I believe the correct file type for Wildfire is "PE". This of course includes .exe and .dll.Filetype should be set to PE.png

PE stands for Portable Exectuble. Currently the only file types (exe and dll) supported by Wildfire. Check Point is trying to catch up with threat emulation...

I'd be happy to see Wildfire supporting office documents as well as pdf files.

Side note, it's always good to block unknown udp,tcp traffic Smiley Wink

Roland

Yeah only scanning exe, dll and scr is a bit limited.

Will be more interresting the day Wildfire also supports pdf, java, flash and office-documents.

And for that matter become a bit more critic of whats malware and whats benign (I somewhat disagress with PaloAlto on whats benign and whats not in terms of that what Wildfire thinks is beningn I think should be classified as malware 🙂

L3 Networker

Hi Johan,

Looks like you've had some fun taking a look at WildFire's detection logic.  I wanted to take the opportunity to address some of your findings just to clarify some of the items presented:


1.  Your first three tests use custom binaries that open reverse shells as the "malicious behavior".  Opening a reverse shell that never connects to bind to a shell is not something that can really be used to detect malware.  If you start a reverse shell without successfully binding, all it really looks like is an attempted TCP connection.  Since all we see in the sandbox is a failed TCP connection, there is nothing useful here to call the sample malware.  Furthermore, the IP address chosen by your application is in private address space.  Calling programs malware when all they do is open a TCP socket on private address space would quickly lead to problems.

2.  If your sample were to perform a reverse shell to an external IP and actually bind to a server listening for the shell, the Palo Alto Networks IPS would have caught that reverse shell and triggered a critical reverse shell alert.  If you are blocking on IPS signatures, this shell would have also been blocked, preventing the interactive session from taking place.

3.  In the final test, you take malware (which was confirmed as malware by WildFire), run it through pescrambler, and run it through WildFire again to see if we can detect it as malware.  The test comes back benign, and you'll notice that one of the behaviors observed is that the sample crashed when loaded.  This is because pescrambler corrupted the EXE making it unloadable.  In fact if you run it in your own environment, it crashes immediately.  The pescrambler tool looks like it hasn't been updated in some time, and in fact has an open issue (https://code.google.com/p/pescrambler/issues/detail?id=1) describing the fact that it corrupts EXEs.  Given that the sample doesn't successfully run, I wouldn't call this a false negative.  In fact, any static file obfuscator like pescrambler is more useful in evading AV signatures, and not in evading dynamic sandbox-based analysis tools like WildFire.  Scrambling a PE file causes the file image to change, but once it's running, WildFire doesn't care whether the file was scrambled or not.  WildFire is looking at the runtime behaviors of the sample as it runs in the sandbox, regardless of how the PE file was obfuscated.

Having said all that, WildFire will never catch 100% but it is a valuable addition to our threat prevention technology stack in catching malware that evades the other layers of defense.  If you have any other findings you would like to bring to our attention, please let us know or you can also reach out to me directly.

Thanks,

Taylor Ettema

Product Manager, Threat Prevention

It's nice to see a point by point response from Palo Alto's Threat Prevention Product Manager here on the forums... well done sir.

Excellent answer, thanks for sharing !

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!