Uncloaking Advanced Malware: How to Spot and Stop an Evasion

Uncloaking Advanced Malware: How to Spot and Stop an Evasion

At InfoSecurity Europe, ​I’ll be giving a Tech Talk on evasive malware​. ​At Lastline Labs​, we classify a malware sample as evasive if it exhibits altered behavior in a dynamic analysis environment (a ​sandbox​) as compared to a target machine. At a high level, attackers design malware so that it first checks for various signs that it is running inside an analysis environment, as opposed to a real end­user’s machine. If this is the case, the malware is programmed to display a perfectly benign behavior (for example, it may immediately terminate its execution). If malware determines that it is instead running on a real user’s machine, it will perform all of its malicious activities, such as exfiltrating confidential documents or launching denial of service attacks. That is, evasive malware is a sort of Dr Jekyll and Mr Hyde of programs: benign and well behaved to the eyes of unsuspecting analyzers; malicious and destructive for its intended targets.

We’ve seen evasive malware go from theoretical hypothesis to rarity to mainstream threat in just a few years. In fact, we saw ​evasive malware more than double​ from January 2014 to December 2014. What’s more, evasive malware became ​more evasive​ than in the past ­­ shifting from two or three evasive maneuvers per sample a year ago to as many as 10 or more in one sample today.

The four most common evasion technique categories are environmental awareness, confusing automated tools, timing­based evasion, and obfuscation of internal data. While these techniques render most signature­based tools and many behavior­based security tools ineffective, they also betray the attacker by surfacing malicious behaviors in a full­system emulation environment. The very techniques designed to hide malicious intent within code can invite suspicion and lead to detection if they are visible to the security system in place.

So how can enterprises defend themselves against evasive malware? One important technique is to flip the equation and deploy a stealth sandbox to analyze evasive malware in a way that appears to be a target machine. This lets you beat evasive malware at its own game, turning its evasive maneuvers against it by using them to identify malicious code. So rather than (or in addition to) looking for highly suspicious behaviors like process tampering or rootkits­like hooking, evasive malware is best detected by looking for evasiveness. In essence, if the code is acting shifty, it’s probably malicious. If malware is stalling, looping, scanning for an analysis environment then cloaking itself ­­ these are all indicators of malicious intent. No destructive execution or data theft attempts need occur to indicate something is not right.

My presentation will cover the signs of evasive malware, helping attendees be better equipped to detect this rising and evolving category of malware threats. I will review the evasive techniques that we see being most commonly used in the wild, taking examples, in particular, from a number of malware families that have been popular in the last several months, such as Dyre, Rombertik, and Turla. I will also discuss a few of the techniques that we employ at Lastline Labs to automatically detect and bypass evasion attempts. Finally, I will also touch on the different designs of analysis environments, and why some are better suited than others at identifying these evasion techniques.

If this sounds interesting, make sure to attend my ​Tech Talk​ on June 3rd!

Besides discussing malware, I’m looking forward to attending InfoSecurity Europe to connect with CISOs, fellow researchers, and my colleagues from around the world.

Marco Cova, Senior Security Researcher, Lastline Labs, 03 Jun 2015, 12:00 ­ 12:25

Uncloaking Advanced Malware: How to Spot and Stop an Evasion

Not registered for Infosecurity Europe 2015 yet? 

Register to attend Infosecurity Europe

Heading up the London office of Lastline, Marco Cova is a senior security researcher with expertise in systems security, malware analysis and intrusion detection. He has been a Lecturer in Computer Security at the University of Birmingham. He earned his PhD in Computer Science from the University of California, Santa Barbara, and has published dozens of research papers. He also led the design and development of Wepawet, a publicly available service for the analysis of malicious web pages.

Leave a Comment

Your email address will not be published. Required fields are marked *