Malware hiding and evasion techniques

Malware authors have always looked for new techniques to stay invisible.
This includes being invisible on the compromised machine, but it is even more important to hide malicious indicators and behavior during analysis.

Malware authors attempt to utilize techniques to hide malicious files from automated threat analysis system and antivirus systems, using both hiding and evasion techniques.

 

Evasion techniques

Malware contains numerous techniques to avoid detection by security controls and for identify sandbox execution.

Here a copule of major evasion techniques

  1. Detecting Sandbox using Core Count
    Malware tries to uses discrepancies in hardware (especially number of CPU cores) in order to spot a sandbox with some degree of accuracy.To make discovery more difficult, most sandbox vendors attempt to hide their true configuration, hopefully fooling the malware into believing it’s executing within an actual host.
  2. Detecting Lack of User Input
    Malware looks for the lack of user input. In a real machine, user input, such as keyboard or mouse activity, will be a frequent occurrence.

Here an interesting talk by Michael Gough, recorded at BSidesSF 2017:

 


Hiding techniques

Obfuscation

  1. Dead-Code Insertion
    This is a simple technique that functions by adding ineffective instructions to a program to change its appearance, however, not altering its behavior.
    In order to combat dead-code insertions, the signature based antivirus scanners should be able to delete the ineffective instructions before analysis.
  2. Register Reassignment
    Register reassignment is a technique which switches registers from generation to generation while in the meantime it keeps the program code without altering its behavior.
  3. Subroutine Reordering
    A technique which makes the original piece of code harder to detect by antivirus programs by changing the order of the code’s subroutines in a randomized manner.
  4. Instruction Subroutines
    This obfuscation technique performs an evolution of the original code by replacing some instructions with other equivalents to the original instructions ones.
  5. Code Transportation
    This technique employs a reordering of sequences of the instruction of an original code without having any visible impact on the code’s behavior.
  6. Code Integration
    Using this technique, the malware binds itself to the code of its target program. In order to execute this technique of obfuscation, malware must firstly decompile its target program into small manageable objects, and slot itself between them, proceeding on to reassembling the integrated code into a new generation.

More information about malware obfuscation on this post: https://andreafortuna.org/cybersecurity/malware-obfuscation-techniques-four-simple-examples/

Compression

Runtime packers are also known as “self-extracting archives”.
Software that unpacks itself in memory when the “packed file” is executed.
This type of compression was invented to make files smaller,bu now is almost always used for malicious purposes.
In essence it makes reverse engineering more difficult, with the added benefit of a smaller footprint on the infected machine.

Here a brief list o major packers:

 


Suggested readings

One Comment

  1. Pingback: ANY.RUN, a new tool for online malware analysis – So Long, and Thanks for All the Fish

Comments