Recognizing Evasive Behaviors Seen as Key to Detecting Advanced Malware

Academic Giovanni Vigna of UCSB has been studying techniques used by malware writers to evade analysis, and urges detection tools to develop an understanding of evasive behavior.

Criminals and advanced attackers have long fortified malware with features that help malicious code stay hidden from analysis. We’ve seen malware samples that determine if they’re being executed in a sandbox or virtual machine, or over remote desktop protocol connections, and stay quiet until analysis passes. Other samples use layers and layers of encryption packers, frustrating intrusion detection systems and analysts’ attempts to get a peek at malware behavior.

And while malware researchers are getting better at uncovering what’s behind the curtain, attackers are generally ahead of the game. One academic sees a time where defenders will have to develop detection technology that understands and spots evasive behavior.

Giovanni Vigna, director of the Center for Cybersecurity at the University of California at Santa Barbara and a founder of security firm Lastline, sees more and more commodity attacks adopting these evasion techniques, even mimicking legitimate applications for a predetermined period of time before executing in a production environment, for example. The next move, he said, is for security systems to elicit malicious behavior from a malware sample before it executes.

“The next step is being able to detect evasive behavior,” Vigna said. “How can we tell if malware is looking in memory for the presence of Wireshark, for example? Normal programs would not do that. It’s hard, but we need to be able to use evasive behavior as a signal for the presence of malicious software.”

Vigna said the next wave of security technology must have some visibility and understanding into the action of malware, something that virtual machines and sandboxes don’t necessarily provide today—in particular when some attacks are adept at either detecting or escaping a sandbox, for example.

“The only time we can get control on the execution of malware is when the malware executes a privileged operation like a system call,” Vigna said. “The malware then executes, can be interrupted and analyzed.”

Vigna spoke in London at the IP Expo last week on the subject and used an example of a piece of malware mimicking Notepad for x-number of minutes before showing its true colors. This is different behavior, than for example, samples that sleep for a time before executing, hoping to elude antivirus or intrusion detection signatures.

“I think it’s fundamental to detect evasive malware and use that behavior as a signal,” he said. “Malware can pretend to have a behavior profile that is similar to benign behavior for a while until it stops executing in a sandbox, then in the real environment, it starts acting like the real malware.

“Something like going to sleep is easy to solve because it’s a privileged operation with the operating system,” Vigna said.
He said a recent example of evasive malware came in an attack he studied in which malicious code was hidden in a registry key, avoiding having a presence on the file system he said, and avoiding sandbox analysis.

“The behaviors are in commodity malware for sure,” he said. “There are plenty of packers and encoders that have specific checks for sandboxes. Some have a checkbox that says evade Cuckoo, for example,” Vigna said, referring to the Cuckoo sandbox. “It’s been commoditized and this is a problem. We need to be able to detect evasiveness, otherwise we are going to lose the battle.”

Suggested articles