On the other hand, this sort of behavior is not too difficult to detect by more involved sandboxes.
MALWARE YEARS RUNONLY AVOID DETECTION FOR CODE
We observed how this code resulted in a DOS condition since sandboxes could not handle it well enough.
Below is the code from the malware that shows this method. API FloodingĪnother approach that subsequently became more prevalent, observed with Win32/Cutwail malware, is calling the garbage API in the loop to introduce the delay, dubbed API flooding. This anti-evasion technique could be easily bypassed by the sandbox vendors simply creating a snapshot with more than 20 minutes to have the machine running for more time. However, we observed several variations of this method across malware families.
MALWARE YEARS RUNONLY AVOID DETECTION FOR WINDOWS
One of those methods, used by multiple malware families including Win32/Kovter, was using Windows API GetTickCount followed by a code to check if the expected time had elapsed. GetTickCountĪs sandboxes identified malware and attempted to defeat it by accelerating code execution, it resorted to using acceleration checks using multiple methods. These techniques remained popular until sandboxes started identifying and mitigating them. Initially, several strains of malware were observed using timing-based evasion techniques, which primarily boiled down to delaying the execution of the malicious code for a period using known Windows APIs like NtDelayExecution, CreateWaitTableTImer, SetTimer and others. The following diagram shows one of the most prevalent sandbox evasion tricks we will discuss in this blog, although many others exist. In the following sections, we look back on some of the most prevalent sandbox evasion techniques used by malware authors over the past few years and validate the fact that malware families extended their code in parallel to introducing more stealthier techniques. As the technology evolved over the past few years, malware authors started producing malicious code that delves much deeper into the system to detect the sandboxing environment.Īs sandboxes became more sophisticated and evolved to defeat the evasion techniques, we observed multiple strains of malware that dramatically changed their tactics to remain a step ahead. Historically, sandboxes had allowed researchers to visualize the behavior of malware accurately within a short period of time. Nowadays we understand security as a global process, and sandbox systems are part of this ecosystem, and that is why we must take care with the methods used by malware and how we can defeat it. Many companies use these kinds of systems to detonate malicious files and URLs found, to obtain more indicators of compromise to extend their defenses and block other related malicious activity. One of the dominant categories of evasion is anti-sandbox detection, simply because today’s sandboxes are becoming the fastest and easiest way to have an overview of the threat.
Malware evasion techniques are widely used to circumvent detection as well as analysis and understanding.
0 kommentar(er)
