At InfoSecurity Europe, I’ll be giving a Tech Talk on evasive malware. At Lastline Labs, we classify a malware sample as evasive if it exhibits altered behavior in a dynamic analysis environment (a sandbox) as compared to a target machine. At a high level, attackers design malware so that it first checks for various signs that it is running inside an analysis environment, as opposed to a real enduser’s machine. If this is the case, the malware is programmed to display a perfectly benign behavior (for example, it may immediately terminate its execution). If malware determines that it is instead running on a real user’s machine, it will perform all of its malicious activities, such as exfiltrating confidential documents or launching denial of service attacks. That is, evasive malware is a sort of Dr Jekyll and Mr Hyde of programs: benign and well behaved to the eyes of unsuspecting analyzers; malicious and destructive for its intended targets.
We’ve seen evasive malware go from theoretical hypothesis to rarity to mainstream threat in just a few years. In fact, we saw evasive malware more than double from January 2014 to December 2014. What’s more, evasive malware became more evasive than in the past shifting from two or three evasive maneuvers per sample a year ago to as many as 10 or more in one sample today.
The four most common evasion technique categories are environmental awareness, confusing automated tools, timingbased evasion, and obfuscation of internal data. While these techniques render most signaturebased tools and many behaviorbased security tools ineffective, they also betray the attacker by surfacing malicious behaviors in a fullsystem emulation environment. The very techniques designed to hide malicious intent within code can invite suspicion and lead to detection if they are visible to the security system in place.
So how can enterprises defend themselves against evasive malware? One important technique is to flip the equation and deploy a stealth sandbox to analyze evasive malware in a way that appears to be a target machine. This lets you beat evasive malware at its own game, turning its evasive maneuvers against it by using them to identify malicious code. So rather than (or in addition to) looking for highly suspicious behaviors like process tampering or rootkitslike hooking, evasive malware is best detected by looking for evasiveness. In essence, if the code is acting shifty, it’s probably malicious. If malware is stalling, looping, scanning for an analysis environment then cloaking itself these are all indicators of malicious intent. No destructive execution or data theft attempts need occur to indicate something is not right.
My presentation will cover the signs of evasive malware, helping attendees be better equipped to detect this rising and evolving category of malware threats. I will review the evasive techniques that we see being most commonly used in the wild, taking examples, in particular, from a number of malware families that have been popular in the last several months, such as Dyre, Rombertik, and Turla. I will also discuss a few of the techniques that we employ at Lastline Labs to automatically detect and bypass evasion attempts. Finally, I will also touch on the different designs of analysis environments, and why some are better suited than others at identifying these evasion techniques.
If this sounds interesting, make sure to attend my Tech Talk on June 3rd!
Besides discussing malware, I’m looking forward to attending InfoSecurity Europe to connect with CISOs, fellow researchers, and my colleagues from around the world.
Marco Cova, Senior Security Researcher, Lastline Labs, 03 Jun 2015, 12:00 12:25
Not registered for Infosecurity Europe 2015 yet?