Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

10/4/2013
08:30 PM
50%
50%

Firms, Researchers Seek Better Ways To Detect Evasive Threats

As defenders increasing use dynamic analysis and sandboxes, attackers have adopted a number of evasion techniques forcing security firms and researchers to adapt

When companies relied on the static analysis of binaries to determine whether a program is malicious, attackers came up with a simple way to bypass defenses: obfuscating the code with packers and other techniques.

Many security firms then moved onto dynamic analysis, allowing a program to run in a sandboxed or virtual environment and looking for signs that it was doing something malicious. The strategy is a significant departure from the past, when authors created code that would noisily attempt to exploit a number of vulnerabilities, says Michael Sutton, vice president of research for Zscaler, a cloud security provider.

"A few years ago, we would see them throw everything at the machine, and hoped that one of them worked," he says. "The downside is that it creates more noise and is more likely be picked up by host-based AV. Now, we see them being more surgical in their attacks and only delivering the payload that will work on the compromised platform."

Attackers are increasingly using evasion techniques to foil automated analysis, the latest moves in an ongoing cat-and-mouse game between malware authors and security analysts. While evasion is far from a standard feature of malware, it is frequently used in exploit packs--the attack toolkits developed and sold by rogue developers--an attempt by the authors to delay the reverse engineering of their latest attacks. Recent malware--such as DarkLeech and the latest variants of Capshaw and Kelihos--are examples of the possibilities of evasions.

[Following a program's evolution back to the author may not yet be a reality, but computer scientists are searching for more accurate measures of the relationships between software versions. See Researchers Seek Better Ways To Track Malware's Family Tree.]

Always checking for vulnerable components and only attempting to compromise the system if those components are present, is one of the three ways in which attackers attempt to sabotage defender's analysis. Attackers can also attempt to detect whether its running in a virtual machine or an analysis environment. in many cases, the attackers know the environments used by defenders to analyze malware, so can create effective method of evading detection, says Giovanni Vigna, director of the Center for CyberSecurity at the University of California at Santa Barbara.

"Evasion is the reaction to dynamic analysis, to the sandbox, and it's very difficult to catch," says Vigna. "Most of the analysis right now is done manually after observing that there is bad stuff that has not been detected--that is, a false negative--which is then analyzed manually to find the evasion."

If the attacker is unfamiliar with the analysis environment, they can still use techniques to fool typical analysis setups, such as sleeping for a long period or waiting for human input. Finally, some attackers are starting to gather intelligence to see if the system which they are trying to infect could be a honeypot or even a known compromised systems. A recent version of Kelihos, for example, check Internet black lists to see if the about-to-be-compromised system will likely be blocked.

"They have multiple evasions that targets each environment," says Alexandros Kapravelos, a PhD student in computer science at UCSB and the co-creator of the Revolver system for detecting evasive malware. "While some of these evasions hit our system, the other ones are designed to hit somebody else."

At the USENIX Security Conference in August, Kapravelos, Vigna, and three other researchers from UCSB and the University of Birmingham presented a method for detecting evasive Web malware. The Revolver system creates abstract representations of a program's function and then uses clustering and other machine learning techniques to match the code with known good and bad software. Malicious software that uses evasions become more visible when looked at from a run-time point of view.

Since September 2012, the researchers collected almost 6.5 million Web pages, of which about 266,000 were malicious. From those pages, the researchers culled more than 700,000 benign scripts and 5,700 malicious scripts, which also included 150 different evasion techniques. Some of the evasions took advantages of differences between the Internet Explorer and the browser implemented by the analysis system, known as Wepawet. Other evasions used differences in the rendering of PDF objects to detect the analysis environment.

When the researchers found the attackers using an evasion technique, they would patch their analysis system. Generally, within a few days, attackers would return with a new evasion, the researchers stated in their paper.

This makes "a tool like Revolver necessary to automatically keep track of this behavior and keep false negative detections as low as possible," the researchers stated.

Keeping up with the attackers requires automation, an approach that is used in some form by many security firm in their own fights with attackers, says Zscaler's Sutton.

"That overall approach is fairly accepted in the AV community," he says. "Otherwise you just can't keep up, because there are millions of pieces of malware every day."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19645
PUBLISHED: 2019-12-09
alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
CVE-2019-19678
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the generic field entry point via the Generic Test Definition field of a new Generic Test issue.
CVE-2019-19679
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue.
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.