Posts

6 Ways Malware Evades Detection – And How to Stop Them

One of the key characteristics of advanced malware is the use of many tactics to evade detection. In addition to defeating signature-based detection products and behavior-based detection tools, there are hundreds of evasion techniques advanced malware uses to avoid detection. Moreover, a malware object will typically deploy multiple tactics.

While there are hundreds of specific tactics to evade detection, they fall into six key categories.

  1. Stalling delays
    With this tactic, the malware remains idle to defeat timer-based recognition. Most virtualized sandboxes can detect if malware calls the OS sleep function, but they can’t spot evasion if the malware performs the delay internally without calling the OS. Full CPU emulations, “bare-metal” detect these behaviors with unrivaled accuracy. This is very effective against a well-known competitor.
  2. Action-required delays
    This tactic delays malicious activity pending a specific user action (e.g., mouse click, open or close a file or app). Most virtualized sandboxes will not detect malware waiting on user action.
  3. Intelligent suspension of malware
    Unlike simple stalling techniques, this category includes sophisticated evasion techniques that discover the presence of a sandbox and suspend malicious actions to avoid detection. Malware waits until it has completed penetration of the host or machine before injecting, modifying or downloading code; decrypting files; moving laterally across network; or connecting to C2 servers.
  4. Fragmentation
    This tactic splits malware into fragments, which only execute when reassembled by the targeted system. As virtualized sandboxes typically evaluate fragments separately, each fragment appears harmless, thus evading detection.
  5. Return-oriented programming (ROP)
    An ROP evasion tactic modifies the stack (memory addresses of code to be executed next), thus injecting functionality without altering the actual code. ROP evasions delegate the execution of its malicious code to other programs, instead of the malware program, thereby hiding it from conventional detection.
  6. Rootkits
    A rootkit is an application (or set of applications) that hides malicious code in the lower OS layers. Most virtualized sandboxes do not monitor what an OS does with calls from applications, so the malicious actions performed by a rootkit will generally go undetected.

Because of the increased focus on developing evasion tactics for malware, organizations should apply a multi-engine approach to analyzing suspicious code, especially to find and stop ransomware and credential theft.

The award-winning SonicWall Capture Advanced Threat Protection (ATP) multi-engine sandbox efficiently discovers what code wants to do from the application, to the OS, to the software that resides on the hardware. This approach includes Lastline® Deep Content Inspection™ technology, along with two other complementary engines.

Learn more about how Lastline technology — which earned the highest achievable score in NSS Labs’ 2017 Breach Detection Systems group test —  adds a key layer to Capture’s unique capabilities. Read our Solution Brief: Overcoming Advanced Evasion of Malware Detection.

Catching Cerber Ransomware

Since the release of SonicWall Capture Advanced Threat Protection (Capture ATP) in August 2016 on SonicWall firewalls, we have seen a lot of unique behavior from authors of malicious code, namely ransomware.

Up until Christmas 2016, Locky received a lot of attention from security firms but then took a backseat during the holiday season. One thing I noticed around that time was that a ransomware variant called Cerber would actually be one of the more persistent pups in the litter.  I started seeing Cerber show up on Capture ATP’s daily reports and wanted to understand why we were still catching this on the sandbox instead of the firewall.

In short, we were catching this on the firewall because SonicWall’s Capture Labs research team was creating a large amount of signatures for Cerber, but what I was seeing were “updated” versions of Cerber being caught in the wild; as many as two versions a day.  This was done to get around Cerber signatures created to stop older versions of itself. To make things more interesting, these Cerber variants were utilizing seven different tactics to evade detection.

The image above is a snippet of a very long report that partly shows what Cerber wants to do. Did you notice the seven different evasion tactics?  Malware did not do this in the past; at least one that I remember fondly. In that past, the security industry was really trying to get the upper hand with the “explosive growth” of malicious code that was being authored and wanted to use virtual environments to run and test code.  About five years ago, the industry introduced the network sandbox to the market and it was a hit, because we now had a tool where we could run potentially malicious code in an isolated environment to see if we could white or blacklist it.

So, do you think that attackers folded up their laptops and found real jobs? Nope, they learned how to evade them, the real essence of what a hacker truly is. If you read third-party reports on network sandboxing, you will read skeptical and bearish reports about its effectiveness and ability to evade a sandbox at a medium difficulty. When you see the image above, you have to believe that the reports are real and Cerber’s evasion tactics rank up there with some of the best I have seen recently; truly an advanced persistent threat. So why am I able to show this to you? Although it is evading other sandboxes, it is not able to get past ours. But how?

In short, we leverage Capture ATP, a multi-engine sandbox that first runs suspicious code through a set of pre-filters that analyzes the code and compares it against a real-time list to see if anyone we collaborate with knows about it.  This step eliminates a lot of newly minted malware within milliseconds; almost at the same speed as lightning strikes the Earth.

After that, the code will go through a parallel set of engines that will help us determine what a new batch of code wants to do from the application, to the OS, to the software that resides on the hardware. We run it through real-time deep memory inspection, virtualized sandboxing, hypervisor level analysis and full-system emulation. Naturally, when we get to this point it does take a little time but it’s worth it.

Sandbox Security; Nothing to Play With

Ransomware has forced organizations to rethink their security architecture.  Organizations are increasingly investing in security solutions that provide additional protection of sensitive data, as well as better visibility over network traffic and endpoint activity. According to IDC research, 60% of organizations surveyed indicated that modern endpoint and network security products such as network sandboxes were either a high priority or an extremely high priority over the next 12 months.

Network sandboxes are isolated environments where suspicious code can be examined and detonated to see what unidentified code wants to do on a potential system.  Over the past few years, sandboxing has become an integral part of the network security game plan but hackers have identified ways of evading detection which is something to consider in the evaluation process. In the video below, IDC’s Sean Pike, program vice president of IDC Security Products,  discusses network sandboxing and gives you key questions to ask when looking at this part of the network security equation.