Act Normal — Malware, You are being watched!

As you would imagine, malware authors are acutely aware of their need to maintain the FUD (Fully Undetectable) status, as it is commonly referred to in the malware world, of the malware they create, for as long as possible. The longer the malware perpetrators can delay detection of their malware by security products, the longer they can keep reaping their ill gotten gains from infiltrating their victims.

These ill gotten gains could come in the way of the ability to use victim computers for DDoS (Distributed Denial of Service) attacks, clickjacking, Bitcoin mining or even for tunneling attacks through to other systems via these victim computers to obscure the true origin of attack. Of course this is all in addition to the potential for exploiting users who use these victim computers, in ways which can range from straightforward identity theft and theft of financial information to even the theft of any private or proprietary information monetizable in the cyber crime black market.

Then there are the more elaborate blackmailing attempts made against some victims by leveraging any compromising information harvested through webcams or microphones, which seem to be getting some media attention lately. As the malware market matures, malware perpetrators seem to discover more and more avenues to maximize the returns of their infiltration as time passes.

Ways Malware Authors Maintain FUD Status

So what are some of the things malware authors have to fight against to maintain this coveted FUD status and what are some of the strategies they employ?

First they have to fight the binary file signatures designed to detect their malware by security products. Malware have historically fought such security technologies by changing the nature of the binaries that the malware is composed of on an ongoing basis by using an array of different techniques. This cat and mouse tug of war has been waging on for decades. As security products incorporate better heuristics and deeper analysis methods which recognize the binary features beneath the surface obfuscations, malware authors have responded with more elaborate obfuscations and better polymorphism.

The contemporary original malware entry vectors range from exploiting security vulnerabilities commoditized by exploit packs floating around in the cyber crime market to plain old social engineering attacks via spam campaigns, compromised websites or sometimes even newspaper classifieds! It is not uncommon to even see private zero day security vulnerabilities used to pry open an entry vector into victim computers.

Unlike a couple of decades ago, malware has not been reliant on file sharing between users to spread for quite some time, even though P2P networks and pirated software distribution sites are still routinely used by malware perpetrators as means of reaching new victims. While both security technology vendors and operating system vendors have addressed and continuously update any technical shortcomings that make this type of infiltration feasible, sophisticated social engineering attempts tend to largely sidestep security technologies and infiltrate by directly exploiting users.

That said however, security products have over the years come to incorporate detection methods to identify these infiltration attempts, both known and novel (based on heuristics) thus attacking the FUD status of malware at the point of spreading, even at the network layer. To address this, malware have adopted some of the old obfuscation strategies from the binary obfuscation domain to alter the binary appearance of security exploits, specific attacks against spam filtering and also other means such as using advertising networks to deliver attacks to users who visit websites they trust. Automated web crawlers deployed by security vendors to detect distribution points of malware is fought against by not delivering malware to known web crawlers or anomalous potential victims.

Malware albeit to a lesser extent have even adopted changing the way it behaves to fool security technologies that vigilantly guard against software behaviour that is seen within a system which is likely to be the action of malware.

NIPS (Network Intrusion Prevention System) installations have also become quite sophisticated in recognizing both mass infiltration attempts and C&C (Command & Control) channels used by malware, so again the same strategies of obfuscation are employed in this domain too by malware authors to further their goal of maintaining a FUD status for their malware.

Essential First Step to Detecting Malware

In all of these various different battlegrounds where the greater war against malware is fought, the analysis by the security industry and computing infrastructure vendors, of the specific nature of any malware has proven to be the essential first step which eventually leads to the malware being detected on a broader scale by security products, thus ripping the FUD status away from such malware.

Given the degree of malware data sharing and the well seasoned analysis capabilities of the security industry, when malware generally loses the FUD status to one security vendor, it is not long before the rest of the industry follows and malware authors have to address being detected on a large scale. Therefore, malware authors rightfully recognize that it is paramount to deter the analysis of their malware for as long as they can, buying them time to reap benefits of the malware campaigns.

Following are three techniques they employ to deter the analysis of their malware:

  • Tie the normal functionality of the malware to the intended delivery mechanism or entry vector (for example cryptographically) such that an analyst that receives the malware samples without actually being actively infiltrated will not see the normal nature and functionality of the malware.
  • Make the normal nature and functionality of the malware dependent on not having any software sandboxes or debuggers, routinely used by the malware analysts, acting upon the malware.
  • Detect if the malware is executing in a bare metal machine environment, typical of end user systems that malware campaigns routinely target and only activate the malware aspects in such systems as opposed to virtual machines environments analysts often use to analyze malware.

Thus in a nutshell, malware authors tend to desire the verification of the authenticity of the environment their malware is running in to ensure that their victim is real and not an analyst attempting to uncover the inner workings of the malware so the security technologies can be adapted to detect the malware. In my next post we’ll continue this exploration zooming in on how malware authors attempt to differentiate between bare metal systems typical of end users who are usually their real victims from virtual machine environments that are often employed by malware analysts.

In the meantime, please leave your thoughts and comments below.

more from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however,…

World’s Largest Darknet Market Shut Down, $25 Million in Bitcoin Seized

On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down. On its website, the Federal Criminal Police Office (BKA) stated it had secured and…