Evasive malware goes mainstream

“Lastline Labs conducted analysis of hundreds of thousands of malware samples collected in 2014 and they unveiled their findings at RSA Conference 2015 in San Francisco.


Malware that is used by APT groups increasingly leverages sophisticated evasive maneuvers to hide its true malicious nature from traditional sandboxes until it reaches a specific target machine. Lastline saw the number of evasive malware samples double from January 2014 to December 2014.

Dr. Christopher Kruegel, Chief Scientist at Lastline told Help Net Security: “Our Lastline Labs report shows that evasive malware, custom-engineered to elude traditional sandboxes, has gone from niche to mainstream. At the same time, signature-based AV scanners became considerably worse at detecting the 1% least-detected malware over the past year. This indicates that both first generation sandbox solutions and signature-based AV systems aren’t able to adapt to new advanced and evasive threats.”

Individual malware samples are including more evasive behaviors, often using a combination of 500+ evasive behaviors. While a year ago only a small fraction of malware showed any signs of evasion, today a sizeable portion is evasive. And while evasive malware a year ago tended to leverage at most two or three evasive tricks, much of todays evasive malware is tailored to bypass detection using as many as 10 or more different techniques.

“To properly address evasion, we require a full system emulation platform which allows us to see every individual CPU instruction that a malware process executes. We also need context around malware samples, which is vital to help security professionals understand whether a discovered program is some run-of-the-mill attack or targeting their specific organization. This points to the critical need for having malware intelligence that is comprehensive, accurate and timely,” Kruegel added.

Don't miss