How to deal with new malware Technologies

Since the birth of malware, the battle between malicious code and anti-malware that are used to detect and block it has never been stopped. In the constant struggle, some enterprises or individuals are always victims of malware. Security research, detection, and design staff work overtime to analyze malicious code, while malicious code writers have long been designing new originality methods to defeat analysts and various automated tools. This article analyzes the main methods that malware authors use to escape, defeat detection, and analyze, and proposes countermeasures.

The trick of malware is to install and maintain malicious code on the victim's computer. Malware relies on the victim's computers to steal logon creden。, send spam, or make them part of a botnet if they do not know.

Dealing with Reverse Engineering

Reverse engineering is the enemy of trade secrets and the Eye of malware makers. For a while, malware vendors have realized that reverse engineering is their enemy. A large number of security researchers deploy a large number of analysis and detection tools for a large number of suspicious code every day. This makes it necessary for malware vendors to constantly improve their products to avoid these security tools and make it more difficult to reverse engineer their malicious code.

Escape detection: avoid initial capturing

We must face this point: anti-malware is a "reactive" technology. You can develop a signature for a specific piece of malicious code (whether you like it or not, most anti-malicious software is still based on the signature technology). Of course, the premise is that you have seen this code. Although security vendors have deployed tools such as Honeypot, most of the files they investigate are still from user-submitted content. How can anti-malware vendors mark malicious code as "malware" if they cannot see it? The principle that malicious software vendors follow is actually very simple, that is, they try to minimize the possibility of code being submitted and captured. The trick is not enough.

Restrict distribution of malware

On the surface, this seems to have a general business model back to malware. However, a new and increasing malware production model has begun to take advantage of the storm, namely, the production of small-sized specialized malware, targeting a particular company or even individual individuals. This small specialized malware generally has a goal of gathering business intelligence. It limits the distribution mode, which is a huge challenge for companies that analyze and detect malware Based on signatures.

There is another phenomenon like this. Some malware makers (some already established companies) no longer try to use limited malware to attack as many machines as possible, but instead release a large number of individual malware or their different variants, in this way, we can hide the phenomenon of "large-scale" outbreaks.

Impersonate or mimic user behavior

This type of malware is cautious when using the network for communication, and only communicates by imitating user behavior mechanisms. For example, an e looks and walks like a duck, but it is also like a duck, although it is actually a fake e.

Moderate use of infected machine Resources

This type of malware is not like a vampire that absorbs all the blood of a dry person. It is very small when using servers or end-user machines, it is almost impossible to trigger the investigation and analysis of security administrators or tools.

The above are some of the methods and models adopted by today's malware. We will talk about advanced evasion technologies below. Although there are various "best practices" for evading security analysis and researchers described above ", however, the authors of malware are still using various technologies to prevent security analysts who use reverse engineering to analyze their code.

Advanced avoidance: prevents Reverse Engineering

First, we (the user or the victim) need to reverse engineer to analyze what the malware author expects. Then, we can determine whether a specific technical solution will send out the benefits sought by the malicious software authors. More importantly, From the security perspective, we will also start looking for ways to deal with them.

There are two main purposes to prevent reverse engineering: one is to hide malicious attempts, and the other is to disrupt or block reverse engineering tools.

Like coding technology, code fuzzy technology has been born for many years and has a strong vitality in fields other than malware. Many commercial applications use these technologies to protect their legitimate trade secrets. Many malicious code authors and reverse engineers have targeted this technology to protect their malicious programs.

During implementation, the Code fuzzy technology is very different from the coding technology, but it is essentially based on the idea that coding software instructions keeps them "quiet" and makes them seem incomprehensible, then, you can use a truly executable "residual" command to directly decode the original command before executing the malicious command. Obfuscated code may seem meaningless before the malware decodes and executes it. For example, see the following confusing PHP code:

 

Here, the author of malware uses a base_64decode () call to decode seemingly meaningless strings and turn them into attack code. The tools and technologies used by malware operate on more complex fuzzy scripts or executable code when performing similar actions.

The code package is the same as the executable code that is fuzzy with such scripts. The code package starts the decoded program by encoding an executable program, inserting a short "decoding" program at the beginning of the encoded data, as shown in the preceding example.

Note that this is an extremely short piece of code. In particular, this short loader usually handles operations such as loading dynamic link libraries.

For this executable fuzzy code, we need to pay attention to its polymorphism. The concept behind polymorphism is easy to understand: it splits complex programs and can be assembled in multiple ways. For example, there is a tool that can use a piece of executable code to find and find instructions, and then replace these commands with randomly selected mess, this makes it difficult for a malicious program to match the signature in the anti-malicious program that detects malicious code. In fact, polymorphism can work at a more complex level, but its philosophy is to replace code blocks with functional equivalence.

In the preceding example, commands are decoded and executed using the eval () function, and the following identifiable code is generated:

 

This code reveals a PHP script that can attack machines that are vulnerable to RFI vulnerabilities (such as inbound URI, operating system type, and whether PHP security mode is enabled) the author of the malicious program.

In fact, there are still many code packaging tools, each of which is a variant of the above packaging concept, Mporphine is one of the most famous