Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

10/4/2013
08:30 PM
50%
50%

Firms, Researchers Seek Better Ways To Detect Evasive Threats

As defenders increasing use dynamic analysis and sandboxes, attackers have adopted a number of evasion techniques forcing security firms and researchers to adapt

When companies relied on the static analysis of binaries to determine whether a program is malicious, attackers came up with a simple way to bypass defenses: obfuscating the code with packers and other techniques.

Many security firms then moved onto dynamic analysis, allowing a program to run in a sandboxed or virtual environment and looking for signs that it was doing something malicious. The strategy is a significant departure from the past, when authors created code that would noisily attempt to exploit a number of vulnerabilities, says Michael Sutton, vice president of research for Zscaler, a cloud security provider.

"A few years ago, we would see them throw everything at the machine, and hoped that one of them worked," he says. "The downside is that it creates more noise and is more likely be picked up by host-based AV. Now, we see them being more surgical in their attacks and only delivering the payload that will work on the compromised platform."

Attackers are increasingly using evasion techniques to foil automated analysis, the latest moves in an ongoing cat-and-mouse game between malware authors and security analysts. While evasion is far from a standard feature of malware, it is frequently used in exploit packs--the attack toolkits developed and sold by rogue developers--an attempt by the authors to delay the reverse engineering of their latest attacks. Recent malware--such as DarkLeech and the latest variants of Capshaw and Kelihos--are examples of the possibilities of evasions.

[Following a program's evolution back to the author may not yet be a reality, but computer scientists are searching for more accurate measures of the relationships between software versions. See Researchers Seek Better Ways To Track Malware's Family Tree.]

Always checking for vulnerable components and only attempting to compromise the system if those components are present, is one of the three ways in which attackers attempt to sabotage defender's analysis. Attackers can also attempt to detect whether its running in a virtual machine or an analysis environment. in many cases, the attackers know the environments used by defenders to analyze malware, so can create effective method of evading detection, says Giovanni Vigna, director of the Center for CyberSecurity at the University of California at Santa Barbara.

"Evasion is the reaction to dynamic analysis, to the sandbox, and it's very difficult to catch," says Vigna. "Most of the analysis right now is done manually after observing that there is bad stuff that has not been detected--that is, a false negative--which is then analyzed manually to find the evasion."

If the attacker is unfamiliar with the analysis environment, they can still use techniques to fool typical analysis setups, such as sleeping for a long period or waiting for human input. Finally, some attackers are starting to gather intelligence to see if the system which they are trying to infect could be a honeypot or even a known compromised systems. A recent version of Kelihos, for example, check Internet black lists to see if the about-to-be-compromised system will likely be blocked.

"They have multiple evasions that targets each environment," says Alexandros Kapravelos, a PhD student in computer science at UCSB and the co-creator of the Revolver system for detecting evasive malware. "While some of these evasions hit our system, the other ones are designed to hit somebody else."

At the USENIX Security Conference in August, Kapravelos, Vigna, and three other researchers from UCSB and the University of Birmingham presented a method for detecting evasive Web malware. The Revolver system creates abstract representations of a program's function and then uses clustering and other machine learning techniques to match the code with known good and bad software. Malicious software that uses evasions become more visible when looked at from a run-time point of view.

Since September 2012, the researchers collected almost 6.5 million Web pages, of which about 266,000 were malicious. From those pages, the researchers culled more than 700,000 benign scripts and 5,700 malicious scripts, which also included 150 different evasion techniques. Some of the evasions took advantages of differences between the Internet Explorer and the browser implemented by the analysis system, known as Wepawet. Other evasions used differences in the rendering of PDF objects to detect the analysis environment.

When the researchers found the attackers using an evasion technique, they would patch their analysis system. Generally, within a few days, attackers would return with a new evasion, the researchers stated in their paper.

This makes "a tool like Revolver necessary to automatically keep track of this behavior and keep false negative detections as low as possible," the researchers stated.

Keeping up with the attackers requires automation, an approach that is used in some form by many security firm in their own fights with attackers, says Zscaler's Sutton.

"That overall approach is fairly accepted in the AV community," he says. "Otherwise you just can't keep up, because there are millions of pieces of malware every day."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8216
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8217
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8218
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8219
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8220
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions, 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .