Like a modern Superbug that has grown resistant to conventional antibiotics, malware today has evolved rapidly and become increasingly complex. While much has been written about malware’s ability to evade sandboxes, little has been made of the specific techniques malware authors are employing to evade detection. In this post—condensed from a SANS webcast led by VMRay Product Manager Rohan Viegas and Sr. Threat Analyst Tamas Boczan and SANS analyst Jake Williams take a deep dive into the prevalent methods attackers are adopting to bypass Anti-Virus and sandbox environments, discuss the telltale signs left behind by malware, and offer up practical strategies for enhanced detection methods.
Blacklisting is Not Enough
The amount of unique malware samples is steadily growing. With over 800 million total malware seen in 2019 , manually writing a signature for each sample is nearly impossible. SANS analyst Jake Williams points out, the number of samples doesn’t tell the whole story: “just recompiling the malware changes the cryptographic hash, which makes it a ‘new’ sample”
By recompiling a known strain, a new timestamp is inserted in
the header, rendering it as a unique sample even though it shares 100% of the
code. With the sheer volume of malware and advancement of packing techniques,
blacklisting sample and section hashes is becoming effectively useless. “This
is a race you probably are not going to win and attackers know this.” – says
Williams.
Endpoint & Heuristics Detection
As signature-based detection tools have become less effective, security teams have increasingly embraced a combination of endpoint tools and heuristic behavioral detection capabilities to identify suspicious files. Williams outlines a few of these strategies, including:
Identifying binary and string patterns
Looking for code injection
Detecting malware setting persistence (installing to survive reboot)
Observing suspicious API use
Recognizing chained use of LOLBins (known good executables)
In this never-ending game of cat and mouse, attackers have likewise found clever workarounds to these methods. For instance, Williams points out an example of subverting some of the heuristics for detecting code injection by scrubbing the PE header in memory.
“Heuristic detection relies on runtime analysis of behaviors and alerts on those commonly performed by malware. The problem here is that many system admin tools look a lot like malware, from listing and killing processes to querying DLL lists. This can trigger a high volume of false positives,” explains Williams.
Packers & Other Bypass Techniques
One of the more common ways for malware to stay invisible to endpoint detection tools is through the use of packers. Malicious code is packed in a container so the signature in the original code is no longer available to be cross referenced and analyzed.
To protect against this, some antivirus vendors try to create a signature for the unpacking stub itself. As Williams explains, “what we have is the packer, which has the unpacking stub – this code that decompresses the original code into memory – and the antivirus trying the signature on the unpacking stub when in fact the packer here isn’t being used to obscure malicious intent, it’s being used to protect the intellectual property of the third party developer. One of the challenges that antivirus has is that these packers themselves are not always malicious and in fact, many of them are sold commercially.”
Beyond packers, Williams outlines additional behavior detection methods in use today and some of the strategies malware authors use to obscure their malicious intent, such as:
Code Emulators: Many antivirus engines use code emulators to identify malicious code patterns before they are executed maliciously
Process Doppelganging: A particularly clever endpoint security bypass technique where the malware loads a different binary than what is scanned
Living Off The Land Bins (LOLBins): Some malware leverage built-in executables to perform functions that are heuristically dangerous
User Mode Rootkit: These tools dynamically change the results of API calls made by the detection tools
In short, Williams says that endpoint detection is getting harder by the day and critically, every detection technique requires a tradeoff between execution overhead and reliability. Finally, he reminds us why layering your detection solutions is critical: “it’s trivial to bypass a single detection after studying it, bypassing multiple detection points is significantly more difficult.”
Sandbox Evasion Strategies
In the second half of the webinar, we explore some of the clever strategies and workarounds that attackers are employing to avoid detection. Tamas Boczan, VMRay’s Sr. Threat Analyst, provides examples from some of his research to demonstrate how specific strains of malware are applying these strategies in the wild.
We break down evasive techniques into three broad categories:
Detect the Sandbox: Many evasive malware strains are able to differentiate between an analysis environment and a production environment by querying various hardware characteristics (i.e., number of CPU cores, number of printers connected, etc), evaluating user artifacts (cookies, browsing history) and detecting monitoring agents themselves.
Defeat the Sandbox: Some malware evades detection by circumventing the sandbox itself or defeats the sandbox through the use of clever time loops that serve to time out its execution
Context Awareness: In addition, there are some malware strains whose behavior depends on the context of the interaction. For instance, the malware will only execute if it’s in a certain geographic location.
Evasion Techniques in the Wild
VMRay’s Sr. Threat Analyst, Tamas Boczan is on the front lines every day dissecting and analyzing the latest malware strains to deconstruct how they navigate the network and deliver their payload. In this section of the webcast, Tamas shows four different strains and details the evasive techniques they use to avoid detection:
BetaBot: First seen in 2012, BetaBot comes and goes and is packed with a number of detection features, including the ability to detect registry files, BIOS, username and license keys.
GandCrab: The most common ransomware family and a core focus of Tamas’ research , GandCrab has evolved rapidly and includes the capabilities to defeat the sandbox, including a technique called API hammering to artificially timeout the sandbox.
FormBook: A popular infostealer, FormBook is an example of malware that both works to detect and defeat the sandbox. One of its stealth features lies in its ability to check against a blacklist of strings using a checksum calculation which obscures what the malware is looking for.
BrushaLoader: A relatively new variant and simple in form, BrushaLoader is an example of a context aware malware . A thin client collects data from the system and based on the information received on the server side (i.e., geolocation) decides whether or not to send malware to a target host.
Sandbox Defense Tactics
Finally, we provide some practical recommendations for configuring a sandbox to improve detection capabilities
Avoid Agents: Using agents in the analysis environment inevitably will leave a sign behind for the malware to determine it’s being run inside a sandbox. Instead monitor externally from the hypervisor layer.
Mimic Your Production Environment: Ideally an effective sandbox should aim to replicate your user’s environment as closely as possible. The use of random artifacts for instance can help make the sandbox environment look less ‘staged’
Use Multiple VPN egress points: To protect against context-aware threats such as geo-fenced malware , multiple VPNs should be put in place to use different egress points in various geographies
Ensure Performance: High performance helps the sandbox defeat evasion attempts such as the API hammering such as with GandCrab which is mainly targeted at slow sandboxes
Detect the Evasion Itself: It should come as little surprise that an effective sandbox should itself, also be able to detect evasion attempts and flag them.
To learn more about these Evasion Techniques, view the full webcast: “Hiding in Plain Sight: Dissecting Popular Evasive Malware Techniques