It’s that exciting time of the year folks when new people from the security walks of life throng to casinos in the desert. Yes! I am talking about Black Hat, BSidesLV, DefCon. Bringing to you a part of utility that will be completely released at BSidesLV – SmoothCriminal, which demonstrates an anti-VM & anti-sandbox technique that is used by some malwares today.
What is SmoothCriminal?
SmoothCriminal is an open source script in Python that helps you determine the presence of a sandbox calculating the cursor movement speed. It is one of the most simpler methods used by malwares to bypass sandboxes by monitoring mouse movements. However, there is a difference in how it is being done in this open source script. Most tools out there look if the mouse moved at all or not. But SmoothCriminal – as the name suggests – checks if the movement was smooth by applying basic calculus which I must say is pretty accurate. For example, these were my findings:
python SmoothCriminal.py -mean avg was:4 gogogo
Here, I let the script run without trying to do anything fancy.
python SmoothCriminal.py -mean avg was:5 gogogo
Here, I was frantically moving my optical mouse on the screen.
python SmoothCriminal.py -max fastest change was:29 Let the games begin
This was the highest “score” I achieved by actually throwing the mouse quite a few times to try and see if I could fool the script.
python SmoothCriminal.py -mean avg was:20 gogogo
This was me trying to a mix of drops, random movements and abrupt stops. You can see this could not fool the script either.
However, I ran this in Cuckoo, this is what I got:
python SmoothCriminal.py -max fastest change was:152 Castles made of sand
If you see the “Castles made of sand” message you know that the script is being run in a “sandboxed” environment. This is what the mean & max arguments mean:
- Mean: The script will accumulate the mouse speed values (only if a movement occurred) and will return the average of all speeds. In a sandbox, the cursor only jumps so the average will be much higher. It is executed with the -mean flag.
- Max: It will run similarly, yet instead of the average it will return the maximal speed. This technique can trigger a false positive if a flesh and blood user moves its cursor extremely fast. It is executed with the -max flag.
I agree, I was able to fool the script once using the -max flag. But not with the -mean flag. All in all a very interesting implementation of this trivial technique.
The current version of this script can be downloaded from it’s GitHub repository here. All it needs is win32api, which limits it.