Techniques malware authors use to evade detection
Posted on 02.08.2013
FireEye released a new report that reveals several techniques used by advanced malware to sidestep signature-based defenses during attacks.

Today’s sophisticated, polymorphic malware is able to hide, replicate, and disable host protections using a variety of techniques, rendering single-flow, file-based sandbox solutions ineffective.


“In today’s threat landscape, traditional sandboxes no longer offer a silver bullet against sophisticated attackers,” said Zheng Bu, senior director of research. “Malware is increasingly able to determine when it is running in a virtual environment and alter its behavior to avoid detection. Effective detection requires analyzing the context of behavior and correlating disparate phases of an attack through multi-flow analysis.”

The methodologies malware authors are using to evade file-based sandboxes typically fall into one or more of the following categories:

Human interaction: Malware that involves human interaction lies dormant until it detects signs of human interaction. The UpClicker Trojan discovered by FireEye in December 2012 used mouse clicks to detect human activity, establishing communication with malicious CnC servers only after detecting a click of the left mouse button.

Configuration: Sandboxes mimic the physical computers they are protecting, yet they are still configured to a defined set of parameters. Most sandboxes only monitor files for a few minutes before moving on to the next file. Therefore, cybercriminals simply wait out the sandbox and attack after the monitoring process is completed.

Environment: Malware often seeks to exploit flaws present only in specific versions of an application. If a predefined configuration within a sandbox lacks a particular combination of operating system and applications, some malware will not execute, evading detection.

Classic VMware evasion techniques: VMware, a popular virtual-machine tool, is particularly easy to identify because of its distinctive configuration, which proves useful to malware writers. For example, VMWare’s distinctive configuration allows malware to check for VMWare services before executing.

The complete report is available here.





Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals it’s our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Sep 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //