Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

8/12/2013
07:39 AM
50%
50%

Attackers' Toolbox Makes Malware Detection More Difficult

From virtual-machine detection to taking a 30-minute nap, the array of techniques used by attackers to stymie malware analysis is growing

Sometimes the simplest techniques can foil the complex systems created by security firms and large enterprises to detect malicious programs and files. Putting malware to sleep, waiting for a user to click, or looking for the hallmarks of a virtual machine can set off warning bells and cause a malicious program to cease running, making analysis difficult at best.

Click here for more of Dark Reading's Black Hat articles.

At the Black Hat security conference earlier this month, two researchers from digital defense firm FireEye showed off the menagerie of techniques developed by attackers to detect whether their programs were being run by analysts in a virtual machine or file-based sandboxes. Software security firms and defenders must do better to detect and allow the inspection of malicious programs that use such anti-analysis techniques, says Zheng Bu, senior director of security research for FireEye and a co-presenter of the session.

"File-based sandboxes alone are not effective in detecting malware," Bu says. "The tools are only as good as the person that uses it or the system that leverages the tools."

Since 2005, the number of variants of malware that security firms need to analyze and recognize with their software has skyrocketed. To cull the truly new malware from the known variants, antivirus firms monitor files for malicious behavior and then use automated analysis systems and cloud-distribution platforms to analyze the new threats and then pass the pattern files back down to the customers' anti-malware defenses.

If attackers efforts make automated analysis, which handles the vast majority of malware, more difficult, then they break the model, says Dean De Beer, chief technology officer for ThreatGRID, a malware-analysis service.

"If the attacker can force the workload back onto the human analyst, then they are succeeding because that means that the more malware that can be produced in that manner, the less threats a security firm can detect," he says.

The techniques identified by Bu and his colleague, Abhishek Singh, also of FireEye, include pausing execution for a specific period of time or waiting for human interaction, attempting to detect if the current system on which the malware is running is a virtual machine, and running on only certain types of systems with specific attributes to rule out virtual machine systems.

[Malware writers go low-tech in their latest attempt to escape detection, waiting for human input -- a mouse click -- before running their code. See Automated Malware Analysis Under Attack.]

The simplest techniques can be the best. Because analysis systems need to analyze malware quickly, for example, they typically look for malicious behavior in the first few minutes. That means that techniques that pause execution for a certain amount of time or that wait for a certain action -- such as a mouse click -- can be extremely effective.

Yet security firms have their own ways to deal with those techniques. Anything from hooking into a sleep function and, essentially, accelerating time, to assigning a higher level of suspicion to any program that appears to sleep following installation can help defeat the techniques, De Beer says.

Moreover, these techniques are not yet in wide use because they do require more advanced understanding of analysis techniques and programming, says Liam O'Murchu, manager of security response for Symantec's North American operations.

"There are only a few people that are really innovating, and there are only a few that are following what's out there," he says. "It's among those people where we really will see a large pickup of these types of things being used."

While there are examples of the technique being used to escape detection for some time, such as in the case of Trojan.Upclicker, it requires a lot of effort to continually defeat the latest defenses, he says.

Yet the same is true for defenders, FireEye's Bu says. Any type of sandbox requires an expert hand to be truly effective against modern malware, he says.

"It is a technology, it is a tool, and it's only as good as the system or people who use it," Bu says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...