In the ongoing battle between infosec pros and malware authors once thing is certain: Uncertainty. The bad guys are always changing tactics.
This week a security vendor noted that malicious programs have begun to incorporate evasive behaviors, and while it believes it has a solution CISOs and researchers should be aware of the problem so they know what to look for.
As David Bisson synthesizes the issue on TripWire’s blog, there are four common anti-detection techniques malware authors can use: Environmental awareness, confusing automated tools, timing-based evasion and obfuscating internal data.
The Rombertik malware leverages many of these at once, while Black POS uses only timing-based evasion to check the infected system’s time with the hardcoded time stamp on the executable.
Bisson notes there is another phenomenon called dormant functionality, which occurs when only a small subset of malicious code that could otherwise be executed under certain conditions is actually initialized. Dormant code can be found in evasive malware, but, he writes, it can also be found in non-evasive malicious samples. An advanced persistent threat vendor called Lastline has identified four scenarios:
–inability of the malware to contact a command and control server, which can make defences looking for such activity to be misled;
–inability of malware components that need to interact to load or run;
–missing inputs needed to execute a task;
–a broken packer, which is needed to evade signature-based anti-virus software.
The point is there’s a need to find ways to identify these dormant functions before they awake and are able to execute. Lastline notes that dormant functions can be found in the Wild Neutron malware recently analyzed by Kaspersky Labs.