Uncloaking the Dark Arts of Evasive Malware

With so many security breaches in the headlines ­­from Home Depot to JP Morgan to Dairy Queen, ­­it would appear that cyber­criminals are winning the arms race against security professionals. Multinational retailers and banks are generally on the cutting edge of security technology adoption in the private sector, deploying a wide range of the latest network, application, physical and policy­based security defenses across their organizations. But with so many layers of defense in place against these attackers, how do they keep getting through? And with so many breaches made possible by malware being publicly disclosed, why are they still happening?

One of several answers is that malware is evolving and adapting to evade detection by traditional defenses. Signature-­based antivirus (AV) and web gateway technologies can’t keep up with the rapid evolution of evasive malware. As my Lastline Labs colleague and fellow Lastline co­founder and UCSB Professor, Dr. Giovanni Vigna, wrote about in May, nearly half of malware gets past signature­-based AV technologies on Day 0, and some malware gets past some AV scanners for a full year. Because attackers can use simple techniques like obfuscation to bypass AV detection, it is not effective in detecting advanced malware.

A Security Gap in Security Solutions That Aren’t Evasion ­Resistant

Producers of malware have also come up with ways to fingerprint the security systems designed to fingerprint them. And newer, behavior ­based anti­malware sandboxes, which rely on virtualized operating systems to test unknown binaries before allowing them onto the network, are both visible to evasive malware and lack full visibility into how malware would behave in a “real” environment.

If you look at the evolution of security defenses from AV protection to virtualized sandboxing, they map to the evolution of malware from simple viruses to polymorphism to packing to APTs. But there is currently a security gap in security solutions that aren’t evasion ­resistant.

Thus, it becomes very important to better understand evasive malware. What is evasion?

Evasion is code that changes the behavior of the malware if it detects that it is running in a traditional sandbox, or it has not reached the intended target, or that some sort of detection technology is running in the background. Malware authors know that sandboxing (or “dynamic analysis”) is popular and widely used, and because code is being executed, malware authors have options to detect analysis.

Key Behaviors of Evasive Malware

Evasive malware isn’t entirely undetectable though. The more we see it the more we can learn from it ­­and the faster we can stop it. There are key behaviors of evasive malware we can watch for and retool security systems to detect.

First, evasive behaviors often vary across static and dynamic analysis environments. Static analysis techniques can be evaded by packing, encrypting or delaying the inclusion of incriminating code. Static analysis can also be eluded through exploitation of differences between the target system (say a Windows laptop) and the analysis system (say a gateway appliance). In this example, if the target is the Windows OS, the malware producer can either parse an executable to exploit Windows or a document to exploit Office. Static analysis techniques can be rendered useless by making particular malware operations dependant on data known only at run­time, such as table lookups based on user input.

To bypass dynamic analysis, evasive malware will fingerprint security systems and then fail to execute, stall or loop until analysis is complete (and rendered ineffective). By detecting the modified environment of dynamic analysis, evasive malware “senses” it is under scrutiny and behaves as if it is benign. Evasive malware can detect instrumented libs as well as auxiliary processes and services not present in a typical target machine or OS. It can also detect specific hardware and software configurations, determining which devices, users and file names exist. These will often be very different in a dynamic analysis environment than in a “real” environment.

As with static analysis, dynamic analysis can be evaded by taking advantage of differences in the execution capabilities of the analysis vs. the target system, such as semantics, speed and available resources. For example, evasive malware can determine if a human is using the host machine by checking whether a keyboard or mouse is attached, and whether that mouse moves. Evasive malware producers must take care to insure that environmental fingerprinting activities are subtle so as not to raise user suspicion.

For example, the Backoff malware family, which has been repeatedly plaguing point­-of-­sale machines at retailers, displays several of these evasive characteristics. The U.S. Secret Service estimates more than 1,000 businesses have been affected. If you take a Backoff sample and analyze it in Lastline’s high resolution malware analysis environment, you will see that it uses:

  • Timing analysis detection to fingerprint virtualized dynamic analysis.
  • Timing evasion which is an anti­VM technique.
  • Code obfuscation to evade detection by signature­-based AV technology.
  • Rare and poorly emulated instructions to defeat simple emulators.
  • Encryption of part of the command and control (C&C) traffic under the assumption someone may be

    sniffing the traffic for C&C server calls.

While fingerprinting analysis systems has gotten evasive malware producers ahead in the cyber­security arms race, it can be used against them. Evasive behaviors can now be used as signals for detection, and dynamic analysis environments can be designed to be both resistant to fingerprinting and have greater visibility into evasion techniques.

Second, it’s also important to note that while the malware being used may be evasive, the attack techniques to deploy malware are not always as sophisticated. Attackers often scan the Internet for remote desktop applications and brute force admin login credentials. In the case of Backoff, they use these admin credentials to deploy Backoff to remote PoS systems. In other cases, social engineering or insiders are used to gain access to systems that appears legitimate. So security policies and education must be designed to prevent employees from, intentionally or inadvertently, becoming a weak link and exposing their organizations to compromise.

A Better Way Defend Systems, Employees, Partners and Customers from Security Breaches

However, in most advanced targeted attacks, malware plays a central role. And increasingly, that malware makes use of evasion techniques to get past both static and dynamic analysis. So by implementing an analysis environment that prevents its own fingerprinting while detecting and defeating evasion techniques, organizations can better defend their systems, employees, partners and customers from security breaches. In this way, the dark arts of evasion can be used to shed light on malware that would otherwise go undetected.

Share this Article:
Engin Kirda

Professor, Northeastern University / Lastline Inc.

In addition to being co-founder and chief architect at Lastline, Engin Kirda is a Professor at the Northeastern University in Boston, and the director of the Northeastern Information Assurance Institute. Before that, he has held faculty positions at Institute Eurecom in the French Riviera and the Technical University of Vienna where he co-founded the Secure Systems Lab that is now distributed over five institutions in Europe and US. Engin's recent research has focused on malware analysis (e.g., Anubis, Exposure, Fire) and detection, web application security, and practical aspects of social networking security. His recent work on the deanonymization of social network users received wide media coverage. He co- authored more than 90 peer-reviewed scholarly publications and served on program committees of numerous well-known international conferences and workshops. In 2009, Engin was the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID), in 2010/11, Program Chair of the European Workshop on Systems Security (Eurosec), and is the Program Chair of the well-known USENIX Workshop on Large Scale Exploits and Emergent Threats in 2012. In the past, Engin has consulted the European Commission on emerging threats, and recently gave a Congressional Briefing in Washington D.C. on advanced malware attacks and cyber-security.