Four Common evasion techniques for malware

Four Common evasion techniques for malware

Malware escaping technology is always evolving. At the RSA Conference last month, the co-founder of Lastline told a picture of evading technology development. This report titled "exposure and deconstruct of evading malware" further validates the idea that "anti-virus software is not dead, but cannot keep up with the times ".
The report pointed out that in 2014, only a small number of malware showed escape characteristics, but now, a considerable number of malware will use 500 types of Escape Technologies for arbitrary combination, to avoid being detected and analyzed.

Lastline pointed out that a single malware sample usually has only 10 types of escape behaviors. However, research shows that four of them are the most common: Environmental Awareness, automated obfuscation tools, time series-based escape, and obfuscation of internal data.

Environmental Awareness

Environmental awareness allows malware samples to detect the operating environment of systems that they attempt to infect. This evasive behavior allows malware to detect the differences between virtual machines and physical machines, as well as the components of the operating system. For example, according to a research report released earlier this year by Lastline, about 1/5 (17%) of Carbanak malware samples tried to detect virtual sandbox environments before execution.

Automated obfuscation tools

It prevents malware from being detected by feature-based technologies, such as anti-virus software. Dyreza, a banking malware, is an appropriate example. According to reports from two security researchers at the Talos group, earlier versions of Dyre hard-coded URLs used to communicate with behind-the-scenes servers. However, to bypass the malware blacklist, Dyre writers began to modify the Domain Name of the server on a daily basis. To adapt to the changing Domain name, the new version of Dyre deploys the Domain name Generation Algorithm (Domain Generation Algorithm, DGA). This Algorithm calculates the Domain name location of the backend server at any given time. Previously, agencies could block Malware-related traffic, but such modifications made the blocking operation troublesome.

Time Series-based escape

This is the third most common evasion technique. In this way, malware can be started at a specific time or when a user takes a specific action. The following scenarios are used: A window is displayed after the initial infection, waiting for the user to click. The window is started only after the system is restarted and started only before and after the specified date. The malware Balck POS is currently the most popular type of POS malware on the market. Some of its samples, especially new variants, have a certain degree of time series-based escape technology. It will view the system time of the infected machine and compare it with the hard-coded time. This function enables Black POS to run only in a specific period of time and sleep at other times.

Obfuscation of internal data

This evasion technique is the most common. Malware using this technology may adopt a series of methods to prevent code from detecting the analysis system. ROM is a new variant of Backoff POS malware. It understands this well. For example, ROM replaces the API name with a Hash value, uses a Hash table to escape certain steps in the parsing process, and uses port 443 to communicate with the backend server, this effectively encrypts network traffic. These three modifications make it difficult for the system to effectively identify the malicious ROM.

It is important to note that malware analyzed by Lastline often mix these four behaviors. Specifically, the 95th percentile samples in the carbanaksoftware are all coded and disguised as system files to hide their network activities and confuse internal data. At the same time, Backoff's encryption behavior will be prevented by automated tools; Dyre will analyze its runtime environment to determine what to do next, if it is executed from the Windows directory, the possible behavior includes installation as a "googleupdate" service.

Apparently, today's malware is becoming more complex by using Escape Technologies. But there is still hope for the information security community. In the last fall, a professor at Northeastern University in Boston wrote to the IBM Security Intelligence Center that security researchers are starting to use feature analysis systems to detect malicious software for evading behavior.


In addition to using the escape technology as a signal to malware, security personnel can also fight against the escape behavior. The professor mentioned in his speech at the RSA conference in 2013 that people need to understand and defend against evading malware. Malware often looks for Triggers, which can be randomly used by security personnel to detect malicious software's Environmental Analysis behavior. Security personnel can also set automatic side writes for code execution to prevent time series-based escape behaviors.

Similar and more solutions tell us not to give up in the fight against escaping technology. Malware may become increasingly mature because they have added anti-detection measures. But every day, the security community discovers new methods and uses the same escape policies as malware to combat them, return the human body with the path of its own person.