malware code

One of the key characteristics of advanced malware is the use of many tactics to evade detection. In addition to defeating signature-based detection products and behavior-based detection tools, there are hundreds of evasion techniques advanced malware uses to avoid detection. Moreover, a malware object will typically deploy multiple tactics.

While there are hundreds of specific tactics to evade detection, they fall into six key categories.

  1. Stalling delays
    With this tactic, the malware remains idle to defeat timer-based recognition. Most virtualized sandboxes can detect if malware calls the OS sleep function, but they can’t spot evasion if the malware performs the delay internally without calling the OS. Full CPU emulations, “bare-metal” detect these behaviors with unrivaled accuracy. This is very effective against a well-known competitor.
  2. Action-required delays
    This tactic delays malicious activity pending a specific user action (e.g., mouse click, open or close a file or app). Most virtualized sandboxes will not detect malware waiting on user action.
  3. Intelligent suspension of malware
    Unlike simple stalling techniques, this category includes sophisticated evasion techniques that discover the presence of a sandbox and suspend malicious actions to avoid detection. Malware waits until it has completed penetration of the host or machine before injecting, modifying or downloading code; decrypting files; moving laterally across network; or connecting to C2 servers.
  4. Fragmentation
    This tactic splits malware into fragments, which only execute when reassembled by the targeted system. As virtualized sandboxes typically evaluate fragments separately, each fragment appears harmless, thus evading detection.
  5. Return-oriented programming (ROP)
    An ROP evasion tactic modifies the stack (memory addresses of code to be executed next), thus injecting functionality without altering the actual code. ROP evasions delegate the execution of its malicious code to other programs, instead of the malware program, thereby hiding it from conventional detection.
  6. Rootkits
    A rootkit is an application (or set of applications) that hides malicious code in the lower OS layers. Most virtualized sandboxes do not monitor what an OS does with calls from applications, so the malicious actions performed by a rootkit will generally go undetected.

Because of the increased focus on developing evasion tactics for malware, organizations should apply a multi-engine approach to analyzing suspicious code, especially to find and stop ransomware and credential theft.

The award-winning SonicWall Capture Advanced Threat Protection (ATP) multi-engine sandbox efficiently discovers what code wants to do from the application, to the OS, to the software that resides on the hardware. This approach includes Lastline® Deep Content Inspection™ technology, along with two other complementary engines.


On-Demand Webinar: Are Hackers Sneaking Past Your Defenses?

Watch SonicWall’s latest on-demand webinar, “How Hackers Sneak Past Defenses & Ways to Evade Them,” which analyses the top six evasion techniques above and provides best practices for stopping attacks.


Learn more about how Lastline technology — which earned the highest achievable score in NSS Labs’ 2017 Breach Detection Systems group test —  adds a key layer to Capture’s unique capabilities. Read our Solution Brief: Overcoming Advanced Evasion of Malware Detection.

FacebookTwitterGoogle+LinkedIn
Brook Chelmo
Sr Product Marketing Manager | SonicWall
Brook handles all product marketing responsibilities for SonicWall security services and serves as SonicWall’s ransomware tsar. Fascinated in the growth of consumer internet, Brook dabbled in grey-hat hacking in the mid to late 90’s while also working and volunteering in many non-profit organizations.  After spending the better part of a decade adventuring and supporting organizations around the globe, he ventured into the evolving world of storage and security. He serves humanity by teaching security best practices, promoting and developing technology.

You might also like

Connecting and Protecting the Remote Islands of Corporate IT – BYOD and Mobility
Read more
RSA Conference 2018: Endpoint Protection Top of Mind
Read more
RSA Conference 2018: SonicWall is Hot
Read more
RSA Conference 2018: Live on Facebook
Read more
A New Cyber Security Certification: SonicWall Network Security Administrator Course
Read more

0 comments

Leave a reply