Dormant code in malware could be a problem, or a solution

In the ongoing battle between infosec pros and malware authors once thing is certain: Uncertainty. The bad guys are always changing tactics.

This week a security vendor noted that malicious programs have begun to incorporate evasive behaviors, and while it believes it has a solution CISOs and researchers should be aware of the problem so they know what to look for.

As David Bisson synthesizes the issue on TripWire’s blog, there are four common anti-detection techniques malware authors can use: Environmental awareness,  confusing automated tools, timing-based evasion and obfuscating internal data.

The Rombertik malware leverages many of these at once, while Black POS uses only timing-based evasion to check the infected system’s time with the hardcoded time stamp on the executable.

Bisson notes there is another phenomenon called dormant functionality, which occurs when only a small subset of malicious code that could otherwise be executed under certain conditions is actually initialized. Dormant code can be found in evasive malware, but, he writes, it can also be found in non-evasive malicious samples. An advanced persistent threat vendor called Lastline has identified four scenarios:

–inability of the malware to contact a command and control server, which can make defences looking for such activity to be misled;

–inability of malware components that need to interact to load or run;

–missing inputs needed to execute a task;

–a broken packer, which is needed to evade signature-based anti-virus software.

The point is there’s a need to find ways to identify these dormant functions before they awake and are able to execute. Lastline notes that dormant functions can be found in the Wild Neutron malware  recently analyzed by Kaspersky Labs.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web