Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

8/12/2013
07:39 AM
50%
50%

Attackers' Toolbox Makes Malware Detection More Difficult

From virtual-machine detection to taking a 30-minute nap, the array of techniques used by attackers to stymie malware analysis is growing

Sometimes the simplest techniques can foil the complex systems created by security firms and large enterprises to detect malicious programs and files. Putting malware to sleep, waiting for a user to click, or looking for the hallmarks of a virtual machine can set off warning bells and cause a malicious program to cease running, making analysis difficult at best.

Click here for more of Dark Reading's Black Hat articles.

At the Black Hat security conference earlier this month, two researchers from digital defense firm FireEye showed off the menagerie of techniques developed by attackers to detect whether their programs were being run by analysts in a virtual machine or file-based sandboxes. Software security firms and defenders must do better to detect and allow the inspection of malicious programs that use such anti-analysis techniques, says Zheng Bu, senior director of security research for FireEye and a co-presenter of the session.

"File-based sandboxes alone are not effective in detecting malware," Bu says. "The tools are only as good as the person that uses it or the system that leverages the tools."

Since 2005, the number of variants of malware that security firms need to analyze and recognize with their software has skyrocketed. To cull the truly new malware from the known variants, antivirus firms monitor files for malicious behavior and then use automated analysis systems and cloud-distribution platforms to analyze the new threats and then pass the pattern files back down to the customers' anti-malware defenses.

If attackers efforts make automated analysis, which handles the vast majority of malware, more difficult, then they break the model, says Dean De Beer, chief technology officer for ThreatGRID, a malware-analysis service.

"If the attacker can force the workload back onto the human analyst, then they are succeeding because that means that the more malware that can be produced in that manner, the less threats a security firm can detect," he says.

The techniques identified by Bu and his colleague, Abhishek Singh, also of FireEye, include pausing execution for a specific period of time or waiting for human interaction, attempting to detect if the current system on which the malware is running is a virtual machine, and running on only certain types of systems with specific attributes to rule out virtual machine systems.

[Malware writers go low-tech in their latest attempt to escape detection, waiting for human input -- a mouse click -- before running their code. See Automated Malware Analysis Under Attack.]

The simplest techniques can be the best. Because analysis systems need to analyze malware quickly, for example, they typically look for malicious behavior in the first few minutes. That means that techniques that pause execution for a certain amount of time or that wait for a certain action -- such as a mouse click -- can be extremely effective.

Yet security firms have their own ways to deal with those techniques. Anything from hooking into a sleep function and, essentially, accelerating time, to assigning a higher level of suspicion to any program that appears to sleep following installation can help defeat the techniques, De Beer says.

Moreover, these techniques are not yet in wide use because they do require more advanced understanding of analysis techniques and programming, says Liam O'Murchu, manager of security response for Symantec's North American operations.

"There are only a few people that are really innovating, and there are only a few that are following what's out there," he says. "It's among those people where we really will see a large pickup of these types of things being used."

While there are examples of the technique being used to escape detection for some time, such as in the case of Trojan.Upclicker, it requires a lot of effort to continually defeat the latest defenses, he says.

Yet the same is true for defenders, FireEye's Bu says. Any type of sandbox requires an expert hand to be truly effective against modern malware, he says.

"It is a technology, it is a tool, and it's only as good as the system or people who use it," Bu says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I've never actually seen the corporate ladder before.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18898
PUBLISHED: 2020-01-23
UNIX Symbolic Link (Symlink) Following vulnerability in the trousers package of SUSE SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allowed local attackers escalate privileges from user tss to root. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP1 trousers versions prior to 0.3.14...
CVE-2019-19837
PUBLISHED: 2020-01-23
Incorrect access control in the web interface in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote information disclosure of bin/web.conf via HTTP requests.
CVE-2020-7210
PUBLISHED: 2020-01-23
Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts.
CVE-2019-19835
PUBLISHED: 2020-01-23
SSRF in AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200.7.10.102.64 allows a remote denial of service via the server attribute to the tools/_rcmdstat.jsp URI.
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...