Simple Works for Malware Writers

Thursday, November 1, 2012 @ 04:11 PM gHale


It is a continuous cat and mouse game, with high stakes. Antivirus vendors count on automated threat analysis systems to aid in analysis.

These automated systems consist of a sandbox — a virtual testing ground for untrusted and potentially malicious code — that lets the programs do their thing and logs their behavior.

RELATED STORIES
LinkedIn Emails lead to BlackHole
XSS Top Web Attack
Spam Leads to Blackhole Attack
Java SE Zero Day Fix can Wait

On the other side, malware developers are aware of this and are always finding new ways to ease their product line into systems. The goal is to make them appear harmless and unassuming.

Among the techniques used in the past are making the malware able to check for registry entries, drivers, communication ports and processes whose presence indicates the virtual nature of the environment in which they are run, and well as executing special assembler code or enumerating the system service list with the same goal in mind.

If these tests prove that is indeed the case, the malware stops itself from running.

But all of these techniques require specific skills and knowledge from the malware makers, and not all of them possess them, so they have turned toward less technical approaches.

One of those approaches is making the malware run only if it detects mouse movement or clicking, and the other of inserting delays between the execution of the various malware subroutines, said researchers at Symantec.

The rationale behind the first test is automated threat analysis systems don’t use the mouse, while regular computer users do, and so the lack of this movement signals to the malware that it is probably being run in a sandbox.

The reason for the subroutine execution delays — often spanning over 20 minutes for each — is given the number of files the system must test, it usually spends only a small amount of time on each file, and chances are the file will end up categorized as harmless and discarded before the first subroutine is even run.



Leave a Reply

You must be logged in to post a comment.