Recognizing Evasive Behaviors Seen as Key to Detecting Advanced Malware

Academic Giovanni Vigna of UCSB has been studying techniques used by malware writers to evade analysis, and urges detection tools to develop an understanding of evasive behavior.

Criminals and advanced attackers have long fortified malware with features that help malicious code stay hidden from analysis. We’ve seen malware samples that determine if they’re being executed in a sandbox or virtual machine, or over remote desktop protocol connections, and stay quiet until analysis passes. Other samples use layers and layers of encryption packers, frustrating intrusion detection systems and analysts’ attempts to get a peek at malware behavior.

And while malware researchers are getting better at uncovering what’s behind the curtain, attackers are generally ahead of the game. One academic sees a time where defenders will have to develop detection technology that understands and spots evasive behavior.

Giovanni Vigna, director of the Center for Cybersecurity at the University of California at Santa Barbara and a founder of security firm Lastline, sees more and more commodity attacks adopting these evasion techniques, even mimicking legitimate applications for a predetermined period of time before executing in a production environment, for example. The next move, he said, is for security systems to elicit malicious behavior from a malware sample before it executes.

“The next step is being able to detect evasive behavior,” Vigna said. “How can we tell if malware is looking in memory for the presence of Wireshark, for example? Normal programs would not do that. It’s hard, but we need to be able to use evasive behavior as a signal for the presence of malicious software.”

Vigna said the next wave of security technology must have some visibility and understanding into the action of malware, something that virtual machines and sandboxes don’t necessarily provide today—in particular when some attacks are adept at either detecting or escaping a sandbox, for example.

“The only time we can get control on the execution of malware is when the malware executes a privileged operation like a system call,” Vigna said. “The malware then executes, can be interrupted and analyzed.”

Vigna spoke in London at the IP Expo last week on the subject and used an example of a piece of malware mimicking Notepad for x-number of minutes before showing its true colors. This is different behavior, than for example, samples that sleep for a time before executing, hoping to elude antivirus or intrusion detection signatures.

“I think it’s fundamental to detect evasive malware and use that behavior as a signal,” he said. “Malware can pretend to have a behavior profile that is similar to benign behavior for a while until it stops executing in a sandbox, then in the real environment, it starts acting like the real malware.

“Something like going to sleep is easy to solve because it’s a privileged operation with the operating system,” Vigna said.
He said a recent example of evasive malware came in an attack he studied in which malicious code was hidden in a registry key, avoiding having a presence on the file system he said, and avoiding sandbox analysis.

“The behaviors are in commodity malware for sure,” he said. “There are plenty of packers and encoders that have specific checks for sandboxes. Some have a checkbox that says evade Cuckoo, for example,” Vigna said, referring to the Cuckoo sandbox. “It’s been commoditized and this is a problem. We need to be able to detect evasiveness, otherwise we are going to lose the battle.”

Suggested articles


  • Osama S. on

    Isn’t anyone getting tired of these catchup approaches? We replace one catchup approach with a slightly better one but the same vulnerabilities namely that if you are clever enough you will get around the control. It makes malware development more difficult, more expensive but as long as there is a lot of money to be made there will be investment made in malware development to overcome these approaches. First defense should be a default deny approach. Don’t run unapproved code! i.e. Application Whitelisting. As defense in depth use whatever endpoint security solutions you want, behaviour analysis etc. How come that a a simple security principle like Default Deny is ignored by the security community and rarely practiced in technical controls?
  • Christoffer S. on

    @Osama I agree that application whitelisting should be practiced more often. However, you know as well as me, that successfully implementing application whitelisting is complicated. Varying levels of how far you're willing to go down the rabbit hole of software execution. Dynamic loading of code, software modules, authentic code mutation, software execution paths etc. Software whitelisting is not an easy feat to achieve or implement. Microsoft has attempted it somewhat by having policies for signed software. Either way, I too believe that more effort should be spent working towards practical software whitelisting software and methods. But there is a lot of money involved here, money that would rather not want their feed to disappear.
  • Dr. Hilliard Haliard on

    As usual, the problem is legacy software and systems. Sure, we can have all sorts of highfalutin egghead and pencilneck security solutions if we were to start from scratch -- but we must deal with what's out there. Moreover, detecting evasion is hardly new. Heck, I myself coded anti-anti-debugging drivers back in the day long before VMware stuffed NT into a VM. You always had to trick the bad guys into believing all was hunky-dory.
  • Elaine Latham on

    Either we nip this in the bud now or our way of running businesses and communicating will drastically change. We are moving back to the last century. There is a special inexpensive patented software that is bullet proof protection that is External Keyboard Encryption and locks down the keyboard and keeps the Key-logger out of the system. Encryption is the Buzz Word but all Internal and is useless if you bring the Key-Logger in with you. This is the only answer and I would love to share the information.
  • SecOpsGuy on

    "Imagine a day when… " the author hasn't done his homework or doesn't know the space..FireEye has been both evading detection techniques, and using evasion detection for at least 5-6 years now. This softball article is just a free add for Lastline. Lame.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.