Technology advances have significantly changed our lives during the past decade. We rely on computers of various sorts for even the simplest of daily tasks and become stressed when they are not available or do not perform as we expect. The data that we create, use, and exchange has become the gold of the 21st century. Because our information is so valuable and often very personal, attempts to steal it have proliferated.
Malware was first developed as a challenge, but soon attackers recognized the value of stolen data and the cyber crime industry was born. Security companies, including McAfee, soon formed to defend people and systems using anti-malware technologies. In response, malware developers began experimenting with ways to evade security products.
The first evasion techniques were simple because the anti-malware products were simple. For example, changing a single bit in a malicious file was sometimes good enough to bypass the signature detection of a security product. Eventually, more complex mechanisms such as polymorphism or obfuscation arrived.
Today’s malware is very aggressive and powerful. Malware is no longer developed just by isolated groups or teenagers who want to prove something. It is now developed by governments, criminal groups, and hacktivists, to spy on, steal, or destroy data.
This Key Topic details today’s most powerful and common evasion techniques and explains how malware authors try to use them to accomplish their goals.
Why use evasion techniques?
To perform malicious actions, attackers create malware. However, they cannot achieve their goals unless their attempts remain undetected. There is a cat and mouse game between security vendors and attackers, which includes attackers monitoring the operations of security technologies and practices.
The term evasion technique groups all the methods used by malware to avoid detection, analysis, and understanding.
We can classify evasion techniques into three broad categories:
- Anti-security techniques: Used to avoid detection by anti-malware engines, firewalls, application containment, or other tools that protect the environment.
- Anti-sandbox techniques: Used to detect automatic analysis and avoid engines that report on the behavior of malware. Detecting registry keys, files, or processes related to virtual environments lets malware know if it is running in a sandbox.
- Anti-analyst techniques: Used to detect and fool malware analysts, for example, by spotting monitoring tools such as Process Explorer or Wireshark, as well as some process-monitoring tricks, packers, or obfuscation to avoid reverse engineering.
Some advanced malware samples employ two or three of these techniques together. For example, malware can use a technique like RunPE (which runs another process of itself in memory) to evade anti-malware software, a sandbox, or an analyst. Some malware detects a specific registry key related to a virtual environment, allowing the threat to evade an automatic sandbox as well as an analyst attempting to dynamically run the suspected malware binary in a virtual machine.
It is important for security researchers to understand these evasion techniques to ensure that security technologies remain viable. We see frequent use of several types of evasion techniques:
- Anti-Sandbox – 23.3%
- Anti-Security Tools – 21.2%
- Code Injection – 21.1%
- Anti-Debugging – 16.1%
- Anti-Monitoring – 18.3%
Anti-sandboxing has become more prominent because more businesses are using sandboxes to detect malware.
Some Important Definitions –
In the world of cyber security evasion, certain terms are popular. Here are some of the tools and terms used by attackers.
- Crypter: Encrypts and Decrypts malware during its execution. Using this technique, malware is often not detected by anti-malware engines or static analysis. Crypters are often custom made and can be bought in underground markets. Custom crypters make decryption or decompiling even more challenging.
Examples: Aegis Crypter, Armadillo, and RDG Tejon are examples of advanced crypters.
- Packer: Similar to a crypter. A packer compresses a malware file instead of encrypting it. UPX is a popular packer.
- Binder: Connects one or more malware files into one. A malware executable can be bound with a JPG file, but the extension will remain EXE. Malware authors usually bind a malware file with a legitimate EXE file.
- Pumper: Increases the size of a file, allowing the malware to sometimes bypass anti-malware engines.
- FUD: Fully Undetectable by anti-malware. Used by malware sellers to describe and promote their tools. A successful FUD program combines both scantime and runtime elements to be 100% undetected. We know two types of FUD:
––FUD Scan time: Protects a malware file from detection by anti-malware engines before the former runs.
––FUD Run time: Protects a malware file from detection by anti-malware engines while it runs.
- Stub: Usually contains the routine used to load (decryption or decompression) the original malware file into memory.
- Unique stub generator: Creates a unique stub for each running instance, making detection and analysis more difficult.
- Fileless malware: Infects a system by inserting itself into memory and not writing a file to disk.
- Obfuscation: Makes malware code difficult for humans to understand. Plain-text strings are encoded (XOR, Base64, etc.) and inserted into the malware file, or junk functions are added to the file.
- Junk code: Adds useless code or fake instructions to the binary to fool the disassembly view or waste analyst time.
- Anti’s: Sometimes used on underground forums or marketplaces to define all the techniques used to bypass, disable, or kill protection or monitoring tools.
- Virtual machine packer: Some advanced packers employ the concept of a virtual machine. When the malware EXE file is packed, the original code is translated into the byte code of the virtual machine and will emulate the behavior of a processor. VMProtect and Code Virtualizer use this technique.
A brief history
Malware evasion techniques have become far more numerous and sophisticated since they first appeared in 1980. Here are the major milestones in the evolution of evasion techniques:
Major Milestones in the Evolution of Evasion Techniques
1980 – Cascade Virus First virus using encryption to scramble its content.
1998 – Metamorphism Malware Regswap uses metamorphism via different registers for the same functions.
1999–2003 – Rootkits In 1999, the first Windows rootkit—NTRootkit—appears, followed by HackerDefender in 2003.
2011 – Off-the-Shelf Marketplace Silkroad is first dark net market selling products and services for malware evasion.
2015–2017 – Firmware Malware Equation Group and Hacking Team leaks reveal the use of firmware malware to remain undetected.
On Other Side,
1990 – Chameleon Family Virus First polymorphic viruses.
1990s – Packers Packers that encrypt or compress become popular due to the smaller size of RAM and disks.
2008 – Domain Generation Algorithms The Conficker worm uses a DGA to evade network detection.
2015–2017 – Dridex, Locky First large-scale obfuscation, use of PowerShell, and sandbox evasion.
The first known virus that attempted to defend itself from anti-malware products was the MS-DOS virus Cascade. It defended itself by partially encrypting its own code, making the content unreadable by security analysts.