Earlier this month, Lastline, a security firm that focuses on real-time analysis of advanced malware, issued a new report on the evolving landscape of evasive malware.
Co-founder and chief scientist at Lastline Christopher Kruegel published the report as part of his presentation for RSA Conference 2015 entitled, “Evasive Malware Exposed and Deconstructed.” His findings serve as an update for “Antivirus Isn’t Dead, It Just Can’t Keep Up,” which was released by Lastline in May of 2014.
The report indicates that whereas only a small fraction of malware showed any signs of evasion in 2014, a sizable portion now utilizes a combination of any 500 techniques designed to avoid detection and analysis.
Lastline notes that an individual malware sample commonly exhibits 10 evasive behaviors. However, its research reveals that four types in particular are most common: 1) environmental awareness, 2) confusing automated tools, 3) timing-based evasion, and 4) obfuscating internal data.
Environmental awareness allows malware samples to detect the underlying runtime environment of the system it is trying to infect. This type of evasive behavior allows malware to search for differences between a virtualized and bare metal environment, as well as artifacts in the operating system. As an example, according to research published earlier this year, about one in five (17%) samples of the Carbanak malware samples analyzed by Lastline tried to detect a virtual sandbox before executing.
The second evasion technique, confusing automated tools, allows malware to avoid detection by technologies such as signature-based antivirus software. An excellent example of this tactic is seen in the Dyre/Dyreza banking malware. According to research published by Alex Chiu & Angel Villegas, two security analysts for Talos Group, older versions of Dyre hardcoded their URLs when communicating with their command and control (C&C) servers. However, in an attempt to evade malware blacklists, the creators of Dyre have since begun changing the malware’s domain on a daily basis. To adapt to this constant change, newer versions of Dyre now employ a domain generation algorithm (DGA), which computes where the C&C servers will be at any given time. This modification increases the difficulty of blocking traffic associated with the malware.
Timing-based evasion is the third most common technique observed by Lastline. This type of behavior is used by malware to run at certain times or following certain actions taken by the user. This includes opening a window following initial infection and waiting for the user to click, activating only after the system reboots, and running before or after specific dates. Black POS malware, one of the most pervasive types of POS malware observed in the wild today, exhibits timing-based evasion to the extent that some samples, especially newer variants, check the system time on the infected machine against the time hardcoded into the executable. This feature allows Black POS to execute during certain periods while remaining dormant the rest of the time.
The fourth and final most common evasion technique is obfuscating internal data. Malware that implement this tactic might use any number of tricks to run code that cannot be detected by the analysis system. ROM, a new variant of the Backoff POS malware, is well-versed in this method of evasion to the extent that it replaces API names with the hashed values, uses a table of hashed values to ignore certain processes from being parsed, and communicates with the C&C server using port 443, which effectively encrypts the traffic. All three of these modifications make it difficult for systems to effectively identify ROM’s malicious nature.
It is important to note that most of the malware analyzed by Lastline blend these four behaviors together. In illustration of this fact, a majority (95%) of samples of Carbanak obfuscate their internal data by hiding their network activity through code injection and by creating .exe files that masquerade as system files. At the same time, Backoff’s encryption modification hampers detection via automated tools, and Dyre analyzes its runtime environment (i.e. where it’s executing from) in order to determine what it should do next, which includes installing as the “googleupdate” service if it is executing from the Windows directory.
Clearly, today’s malware is becoming more sophisticated with respect to the use of evasive behavior. But there is still hope for the information security community. As Engin Kirda, a Professor at the Northeastern University in Boston and the director of the Northeastern Information Assurance Institute, noted in an article for IBM Security Intelligence last fall, security researchers are beginning to use fingerprinting analysis systems against evasive behaviors as means to detect malware.
Beyond labeling evasive techniques as signals of malicious software, security researchers can also combat evasion. According to Kruegel’s presentation for RSA Conference 2013, “Understanding and Fighting Evasive Malware,” security personnel can check environmental analysis by randomizing the environmental values, or “triggers,” for which malware commonly look. They can also prevent the timing out of a sandbox by automatically profiling code execution to help recognize sandbox stalling.
Ultimately, these and other solutions that aid information security professionals in their battle against malicious evasion techniques remind us to not give up the fight. Malware might be growing in sophistication when it comes to anti-detection measures, but every day, the security community arrives at new measures that use these same evasion tactics against the malicious software they are designed to protect.
How very satisfying.