Plenty of malware samples contain embedded functionality that helps the code avoid detection by security software, or places encryption or packing barriers that keep security researchers from studying changes that would help vendors write detection signatures.
The Shylock malware has taken that dynamic a step further.
New functionality recently discovered by security company Trusteer indicates that the financial malware now can detect whether it has been executed on a computer over remote desktop protocol, a favorite avenue for researchers to study samples from remote locations. If Shylock detects RDP, it will not install.
“It appears to be trying to avoid being researched by simply not installing at all,” said Trusteer CTO Amit Klein. “At this point, the malware researcher will leave the sample alone.”
Other malware such as Conficker have anti-debugging features such as the ability to detect whether it’s been opened in a virtual machine, which could indicate that the malware has been opened in a test environment and would not execute. Klein said Shylock is the first to detect RDP.
“Beyond VM detection, many malware samples can observe a lack of mouse movements or lack of user activity and will sleep for a few minutes in order to avoid automatic processing or analysis,” Klein said. “Obviously, we see a trend here where a malware family is trying to avoid being analyzed or detected by humans.”
Shylock was discovered in September 2011 and specializes in financial fraud. It harvests credentials and is capable of injecting code into browser processes to remotely control victim computers, either via man-in-the-middle or man-in-the-browser attacks.
What separates Shylock from the pack are its evasion techniques, Klein said. From the start, this has been a hallmark of Shylock. One tactic in particular that has been effective, Klein said, is that malware’s ability to delete files or registry keys it uses for persistence if it senses human interaction, and then restore them by hooking into the Windows shut-down routine and restoring those file entries.
“It would appear to the researcher that there is no Shylock file or presence, but that presence is restored during shut down and would reappear at the next boot-up,” Klein said. “Shylock has always exhibited more advanced evasion tactics than the average malware. We’re not completely surprised to see this evolvement (toward detecting RDP connections).”
Shylock is able to detect a remote desktop environment by feeding invalid data to a routine that handles some smart card initialization. Klein said that this Windows function, in such a case, will return a different error code if it’s run on RDP rather than a Windows session.
Trusteer said it is possible to use a similar tactic identify sandbox environments as well.
This move away from detecting virtual environments toward detecting RDP connections is a significant one. Last year, FireEye shared some research on this trend; it just isn’t feasible for malware not to install itself on virtual machines given the volume of infrastructure that has been virtualized. Also, FireEye researchers said that many security companies were turning this functionality against malware writers; what legitimate software would try to detect the presence of security software or whether it was running in a virtual environment.