14 DAY TRIAL // More sophisticated threats rely on various techniques not just to avoid antivirus detection but also to prevent security researchers from taking a closer look at their inner mechanisms.
Analyzing malware is generally done in virtual spaces (sandbox utility or virtual machines), which are isolated environments designed to contain all the modifications to themselves and do not allow changes to be made on the real machine.
As such, these make for a perfect tool for security researchers to investigate what makes a piece of malware tick and where it sends off the stolen information.
However, some threats that benefit from richer resources, both financial and intellectual, include evasion techniques that detect they’re running inside a virtual environment, which is generally associated with security researchers trying to find more about the threat.
The defensive reactions observed by the experts range from stopping the malicious activity to using fake addresses for the command and control (C&C) servers.
Researchers at Sophos gathered a few examples that are to be presented at the Virus Bulletin conference, taking place in Seattle between 26 and 26 September.
They analyzed the changed behavior of different malicious applications once they detected the sandbox and classified the techniques, assessing the benefits of each of them for the malware author.
James Wyke will expose the methods used by samples of malware families such as Andromeda, Shylock, Simda and Vundo.
He will show a change in activity, which includes dropping dummy files, fake DNS and HTTP requests or delivering misleading configuration files.
Shylock, a Trojan that has resurrected quite fast after each take-down intervention from law enforcement and private security firms, has been observed to distribute fake configuration files in order to put researchers on a false track.
In the case of Simda, Wykes notes a different behavior, consisting of collecting the IP address of the researcher’s machine and blacklisting it.
Decoy command and control servers have been seen to be used by Vundo when it detected a virtual environment; the reason behind this is to divert the attention and probably to fake a false positive.
In the case of the Andromeda malware dropper, the C&C servers would be hidden while in the sandbox space, giving researchers more trouble discovering the location that sends the instructions.
All the methods used by malware to protect against analysis are designed to delay the discovery of their true color, thus prolonging the life of the threat. In many cases, these are successful.